Changes:
WordPress 4.2.3 fixes a cross-site scripting vulnerability, which could allow
users with the Contributor or Author role to compromise a site.
The release also fixes an issue where it was possible for a user with
Subscriber permissions to create a draft through Quick Draft.
In addition to the security fixes, WordPress 4.2.3 contains fixes for
21 bugs from 4.2.2, including:
* FIX - Upgrades: If a table has already been converted to utf8mb4,
there's no need to try and convert it again.
* FIX - Remove a redundant index drop.
* FIX - Don't upgrade global tables to utf8mb4 when
DO_NOT_UPGRADE_GLOBAL_TABLES is defined.
* FIX - Enable utf8mb4 for MySQL extension users.
* FIX - Plugin update rely upon wp_update_plugins() to check the
contents of the transient and return early if no request needs to
be made.
* FIX - WPDB: When extracting the table name from a query, there is a
1000 character limit on the SQL string that would be searched.
* FIX - WPDB: When checking that text isn't too long to insert into a
column, LONGTEXT columns could fail, as their length is longer than
PHP_INT_MAX.
* FIX - Plugin update handles the case where the plugin is installed
into a different directory than it previously existed in.
* FIX - Plugin update feature doesn't recognize errors
* FIX - Plugin update error messages lack detail
* FIX - Multiple plugin updates: Even if one of plugins update fails,
allow further updates to continue.
* FIX - In comment_form(), ensure that filtered arguments contain all
required default values.
* FIX - WPDB: Remove some of the complexities in
::strip_invalid_text() associated with switching character sets
between queries.
* FIX - WPDB: ::strip_text_from_query() doesn't pass a length to
::strip_invalid_text(), which was causing queries to fail when they
contained characters that needed to be sanity checked by MySQL.
* FIX - Emoji script is producing errors on pages with SVG content
* FIX - Unable to drag widgets down page past certain length.
* FIX - TinyMCE: wpView: fix typo in createInstance that prevented
instances from being reused.
* FIX - SCRIPT_DEBUG check in print_emoji_detection_script()
generated PHP Notices.
* FIX - If the shortcode content contains HTML code, the TinyMCE View
no longer works.
* FIX - Better handling when the credential form is long (such as
when SSH is active).
* FIX - sanitize_option didn't handle a WP_Error Object.
WordPress 4.2.2 fixes a cross-site scripting vulnerability contained in an HTML
file shipped with recent Genericons packages included in the Twenty Fifteen
theme as well as a number of popular plugins by removing the file.
Version 4.2.2 also improves on a fix for a critical cross-site scripting
vulnerability introduced in 4.2.1.
The release also includes hardening for a potential cross-site scripting
vulnerability when using the Visual editor.
In addition to the security fixes, WordPress 4.2.2 contains fixes for 13 bugs
from 4.2.1, including:
o Fixes an emoji loading error in IE9 and IE10
o Fixes a keyboard shortcut for saving from the Visual editor on Mac
o Fixes oEmbed for YouTube URLs to always expect https
o Fixes how WordPress checks for encoding when sending strings to MySQL
o Fixes a bug with allowing queries to reference tables in the dbname.tablename
format
o Lowers memory usage for a regex checking for UTF-8 encoding
o Fixes an issue with trying to change the wrong index in the wp_signups table
on utf8mb4 conversion
o Improves performance of loop detection in _get_term_children()
o Fixes a bug where attachment URLs were incorrectly being forced to use https
in some contexts
o Fixes a bug where creating a temporary file could end up in an endless loop.
Changes:
Wordpress 4.2:
o Press This has been completely revamped. Clip it, edit it, publish it. Get
familiar with the new and improved Press This. From the Tools menu, add Press
This to your browser bookmark bar or your mobile device home screen. Once
installed you can share your content with lightning speed. Sharing your
favorite videos, images, and content has never been this fast or this easy.
o Now you can browse and switch installed themes in the Customizer. Browse and
preview your installed themes from the Customizer. Make sure the theme looks
great with your content, before it debuts on your site.
o More intuitive plugin update and install from the Plugins Screen. Goodbye
boring loading screen, hello smooth and simple plugin updates. Click Update Now
and watch the magic happen.
o Writing in WordPress, whatever your language, just got better. WordPress 4.2
supports a host of new characters out-of-the-box, including native Chinese,
Japanese, and Korean characters, musical and mathematical symbols, and
hieroglyphs. Don’t use any of those characters? You can still have fun — emoji
are now available in WordPress! Get creative and decorate your content with 💙,
🐸, 🐒, 🍕, and all the many other emoji.
Wordpress 4.2.1:
o fix for a critical cross-site scripting (XSS) vulnerability, which could
enable commenters to compromise a site.
Changes:
4.1.1:
Maintenance release, fixed 21 bugs.
4.1.2:
- A serious critical cross-site scripting vulnerability, which could enable
anonymous users to compromise a site.
- Files with invalid or unsafe names could be uploaded.
- Some plugins are vulnerable to an SQL injection attack.
- A very limited cross-site scripting vulnerability could be used as part of a
social engineering attack.
- Four hardening changes, including better validation of post titles within the
Dashboard.
Major changes:
General
- Show the number of approved comments, instead of total comments, in the “At A Glance” section in the dashboard.
- Site Language: Install translations on the fly on the General Settings screen. The language drop down now includes installed languages and all available translations when the filesystem is writable by WordPress.
- Admin notices: There are now four types of notices: success (green), warning (orange), error (red), and info (blue).
Posts
- Spellchecking is enabled for the post title field on the Edit Post screen.
Media
- Disable multi-file uploading in iOS 7.x Safari as it prevents uploading of videos.
- Allow PSDs (Photoshop documents) to be uploaded.
- oEmbed: Add support for the Vine endpoint.
- Display error message when Media Library upload fails.
Appearance
- Custom Header and Custom Background screens removed. Admin menu links now go to the Customizer.
- Widgets screen now has a Manage in Customizer link at top of screen.
- Themes: Make "Live Preview" the primary action and “Activate” secondary.
Users
- Introduce a button on the user profile screen which clears all other sessions, and on the user editing screen which clears all sessions.
Accessibility
- Admin menu separators are now hidden from screen readers.
- Improved keyboard control of Edit Selection mode in the media manager.
- Improved keyboard accessibility on Custom Header and Custom Background screen.
- Improved text contrast against dark backgrounds in the admin menu and toolbar.
- When switching to the Text editor, make the textarea visible to screen readers.
- Use <button> instead of <a> for the Visual/Text buttons to make them focusable.
- Improve the focus style for review links in the plugin info modal.
- TinyMCE:
-- Return focus to the editor on pressing Escape while the image toolbar is focused.
-- Add a Close button to the Help modal and close it on Escape.
-- Override the title on the editor iframe (read by screen reader apps), replace with the Alt+Shift+H shortcut.
-- Add focus shortcuts descriptions to the Help modal.
Multisite
- Set the default network language on the Network Settings screen.
Changes:
- Three cross-site scripting issues that a contributor or author could use to
compromise a site.
- A cross-site request forgery that could be used to trick a user into changing
their password.
- An issue that could lead to a denial of service when passwords are checked.
- Additional protections for server-side request forgery attacks when WordPress
makes HTTP requests.
- An extremely unlikely hash collision could allow a user’s account to be
compromised, that also required that they haven’t logged in since 2008 (I
wish I were kidding).
- WordPress now invalidates the links in a password reset email if the user
remembers their password, logs in, and changes their email address.
More details on http://codex.wordpress.org/Version_4.0.1.
Major changes:
General
- Featured image previews now support .bmp files
- Featured Image meta box is now hidden for contributors lacking upload
capabilities
- New supported oEmbed providers: CollegeHumor, Issuu, Mixcloud, YouTube
playlists, TED talks
- Install WordPress in your language
- Streamlined Language management right from the dashboard
Posts
- Display embed previews for audio/visual URLs in Visual editor content
box.
- Page scrolling now scrolls post content box.
- Edit Post/Page menu bar sticks to top of content box when scrolling
(Visual and Text editor).
- Color picker was re-added to the Visual editor
Media
- Add Media Grid view option (default) for Media Library
- Add "Bulk Select" button to Media Grid view to delete multiple items
- Add oEmbed support for TED talks, Mixcloud, CollegeHumor.com, Issuu
- Expand oEmbed support to include YouTube playlist URLs and Polldaddy’s
short URL format
- Remove Viddler oEmbed support
- Update SlideShare oEmbed regex
- Improved media experience on small screen sizes (embedded videos now
responsive)
- Native video and audio shortcodes now support Flash playback looping
Comments
- Comments in trash can now be marked as spam.
Plugins
- Display plugins list as grid, with thumbnails, on Add New screen.
- Add popup window with plugin details (displays info from plugin's
directory page).
- Add "Beta Testing" tab to Plugins screen for new features-as-plugins.
Accessibility
- Improved keyboard accessibility in the Add Media panel
- Improved screen-reader support for Customizer sections
- Makes links in help tabs keyboard accessible
- Improvements for screen-readers when managing widgets in the
Customizer
Install Process
- Add language select menu as first Installation screen (skipped for
localized installs)
Multisite
- mp4 file extension was added to allowed upload file types
Changes:
* Fixes a possible denial of service issue in PHP’s XML processing, reported by
Nir Goldshlager of the Salesforce.com Product Security Team. Fixed by Michael
Adams and Andrew Nacin of the WordPress security team and David Rothstein of
the Drupal security team.
* Fixes a possible but unlikely code execution when processing widgets
(WordPress is not affected by default), discovered by Alex Concha of the
WordPress security team.
* Prevents information disclosure via XML entity attacks in the external GetID3
library, reported by Ivan Novikov of ONSec.
* Adds protections against brute attacks against CSRF tokens, reported by David
Tomaschik of the Google Security Team.
* Contains some additional security hardening, like preventing cross-site
scripting that could be triggered only by administrators.
Changes:
- A smoother media editing experience
- Improved visual editing - speed, accessibility, and mobile support
- Edit images easily - quicker access to crop and rotation tools, scale images
directly in the editor
- Drag and drop your images right onto the editor
- Image gallery previews right in the editor
- Showcase music and clips with simple audio and video playlists
- Live widget and header image previews in the Customizer
- Stunning new theme browser
Version 3.9.1 fixes 34 bugs from 3.9.
More details on http://codex.wordpress.org/Version_3.9 and
http://codex.wordpress.org/Version_3.9.1
It contains 9 bugfixes and 5 security fixes:
* Potential authentication cookie forgery. CVE-2014-0166.
* Privilege escalation: prevent contributors from publishing posts. CVE-2014-0165.
* (Hardening) Pass along additional information when processing pingbacks to help hosts identify potentially abusive requests.
* (Hardening) Fix a low-impact SQL injection by trusted users.
* (Hardening) Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files.
Changes:
Addressed 31 bugs in 3.8, including various fixes and improvements for the new
dashboard design and new themes admin screen.
More info at http://codex.wordpress.org/Version_3.8.1
Changes:
Introduces a new, modern admin design
* A fresh, uncluttered design
* Clean typography with Open Sans
* Superior contrast and large, comfortable type
* Responsive interfaces throughout
* Refined, theme management
* Smoother, click-to-add widget management
New Default Theme - Twenty Fourteen
* Easily create a responsive magazine website with a sleek, modern design.
* Feature your favorite homepage content in either a grid or a slider.
* Use the three widget areas to customize your website, and change your
content's layout with a full-width page template and a contributor page to show
off your authors.
For Developers
* External Libraries have been updated.
* Better RTL support
More info on http://codex.wordpress.org/Version_3.8
Changes:
Version 3.7:
* Background Updates
- Automatic updates for maintenance and security updates.
- Daily updates for developers using nightly builds.
* Stronger Password Meter
- New password meter to encourage users to choose stronger passwords.
* Improved Search
- More relevant search results.
* Better Global Support
- Localized versions will receive faster and more complete translations.
- Background updates will include translations
More info on http://codex.wordpress.org/Version_3.7
Version 3.7.1:
- Images with captions no longer appear broken in the visual editor.
- Allow some sites running on old or poorly configured servers to continue to check for updates from WordPress.org.
- Avoid fatal errors with certain plugins that were incorrectly calling some WordPress functions too early.
- Fix hierarchical sorting in get_pages(), exclusions in wp_list_categories(), and in_category() when called with empty values.
- Fix a warning that may occur in certain setups while performing a search, and a few other notices.
More info on http://codex.wordpress.org/Version_3.7.1
Additionally: Version 3.6.1 fixes three security issues:
* Remote Code Execution: Block unsafe PHP de-serialization that could occur in
limited situations and setups, which can lead to remote code execution.
Reported by Tom Van Goethem. CVE-2013-4338.
* Link Injection / Open Redirect: Fix insufficient input validation that could
result in redirecting or leading a user to another website.
Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers
for Disease Control and Prevention. CVE-2013-4339.
* Privilege Escalation: Prevent a user with an Author role, using a specially
crafted request, from being able to create a post "written by" another user.
Reported by Anakorn Kyavatanakij. CVE-2013-4340.
Additional security hardening:
* Updated security restrictions around file uploads to mitigate the potential
for cross-site scripting. The extensions .swf and .exe are no longer allowed
by default, and .htm and .html are only allowed if the user has the ability
to use unfiltered HTML.
More on http://codex.wordpress.org/Version_3.6.1
ChangeLog:
New Default Theme - Twenty Thirteen
* Focus on blogging
* Single column layout with Sidebar / Widgets in the footer
* Latest Theme Features support, particularly Post Formats and Semantic Markup
* Font-based icons (Genericons)
Admin Enhancements
* UI improvements on Navigation Menus Screen
* Revisions revised to be more dynamic and scalable
* Autosave and Post Locking
* Preview Audio and Video on Media Edit Screen
* In-line login following expired sessions
For Developers
* External Libraries have been updated.
* New audio/video APIs give developers access to powerful media metadata, like ID3 tags.
* Filters for revisions, allowing you to set the number of revisions ad hoc instead of only via a define.
* Semantic Markup allows themes to choose improved HTML5 markup for search forms, comment forms, and comment lists.
* Search content for shortcodes with has_shortcode() and adjust shortcode attributes with a new filter.
More info on http://codex.wordpress.org/Version_3.6
Fixed issues:
* Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199.
* Privilege Escalation: Contributors can publish posts, and users can reassign authorship. CVE-2013-2200.
* Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205.
* Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173.
* Content Spoofing via Flash Applet in TinyMCE Media Plugin. CVE-2013-2204.
* Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201.
* Full Path Disclosure (FPD) during File Upload. CVE-2013-2203.
* Cross-Site Scripting (XSS) (Low Severity) when Editing Media. CVE-2013-2201.
* Cross-Site Scripting (XSS) (Low Severity) when Installing/Updating Plugins/Themes. CVE-2013-2201.
* XML External Entity Injection (XXE) via oEmbed. CVE-2013-2202.
* Editor: Prevent certain HTML elements from being unexpectedly removed or
modified in rare cases.
* Media: Fix a collection of minor workflow and compatibility issues in the new
media manager.
* Networks: Suggest proper rewrite rules when creating a new network.
* Prevent scheduled posts from being stripped of certain HTML, such as video
embeds, when they are published.
* Work around some misconfigurations that may have caused some JavaScript in
the WordPress admin area to fail.
* Suppress some warnings that could occur when a plugin misused the database or
user APIs.
Additionally: Version 3.5.1 fixes a few security issues:
* Server-side request forgery (SSRF) and remote port scanning via pingbacks.
Fixed by the WordPress security team.
* Cross-site scripting (XSS) via shortcodes and post content. Discovered by Jon
Cave of the WordPress security team.
* Cross-site scripting (XSS) in the external library Plupload. Plupload 1.5.5
was released to address this issue.
Highlights
* New Media Manager
+ Beautiful interface: A streamlined, all-new experience
+ Create galleries faster with drag-and-drop reordering,
inline caption editing, and simplified controls
+ Insert multiple images at once with Shift/Ctrl+click
* New Default Theme - Twenty Twelve
+ Simple, flexible, elegant
+ Mobile-first, responsive design
+ Gorgeous Open Sans typeface
+ Uses the latest Theme Features
* Admin Enhancements
+ New Welcome Screen
+ Retina-Ready (HiDPI) Admin
+ Hide Link Manager for new installs
+ Better accessibility for screenreaders, touch devices, and
keyboard users
+ More polish on admin screens, including a new color picker
* For Developers
+ WP_Comment_Query and WP_User_Query accept now meta queries
just like WP_Query
+ Meta queries now support querying for objects without a
particular meta key
+ Post objects are now instances of a WP_Post class, which
improves performance and caching
+ Multisite's switch_to_blog() is now significantly faster and
more reliable
+ WordPress has added the Underscore and Backbone JavaScript
libraries
+ TinyMCE, jQuery, jQuery UI, and SimplePie have all been
updated to the latest versions
+ Image Editing API for cropping, scaling, etc., that uses
ImageMagick as well as GD
+ XML-RPC: Now always enabled and supports fetching users,
managing post revisions, searching
+ New "show_admin_column" parameter for register_taxonomy()
allows automatic creation of taxonomy columns on associated post-types.
Changes:
* Fixes some issues in the admin area where some older browsers (IE7, in
particular) may slow down, lag, or freeze.
* Fixes an issue where a theme may not preview correctly, or its screenshot may
not be displayed.
* Fixes the use of multiple trackback URLs in a post.
* Prevents improperly sized images from being uploaded as headers from the
customizer.
* Ensures proper error messages can be shown to PHP4 installs. (WordPress
requires PHP 5.2.4 or later.)
* Fixes handling of oEmbed providers that only return XML responses.
* Addresses pagination problems with some category permalink structures.
* Adds more fields to be returned from the XML-RPC wp.getPost method.
* Avoids errors when updating automatically from very old versions of WordPress
(pre-3.0).
* Fixes problems with the visual editor when working with captions.
Additionally: Version 3.4.2 fixes a few security issues and contains some
security hardening. These issues were discovered and addressed by the WordPress
security team:
* Fix unfiltered HTML capabilities in multisite.
* Fix possible privilege escalation in the Atom Publishing Protocol endpoint.
* Allow operations on network plugins only through the network admin.
* Hardening: Simplify error messages when uploads fail.
* Hardening: Validate a parameter passed to wp_get_object_terms().
ChangeLog:
Wordpress 3.4.1:
* Fixes an issue where a theme’s page templates were sometimes not detected.
* Addresses problems with some category permalink structures.
* Better handling for plugins or themes loading JavaScript incorrectly.
* Adds early support for uploading images on iOS 6 devices.
* Allows for a technique commonly used by plugins to detect a network-wide activation.
* Better compatibility with servers running certain versions of PHP (5.2.4, 5.4)
or with uncommon setups (safe mode, open_basedir), which had caused warnings or
in some cases prevented emails from being sent.
Additionally: Version 3.4.1 fixes a few security issues and contains some security
hardening. These issues were discovered and fixed by the WordPress security team:
* Privilege Escalation/XSS. Critical. Administrators and editors in multisite
were accidentally allowed to use unfiltered_html for 3.4.0.
* CSRF. Additional CSRF protection in the customizer.
* Information Disclosure: Disclosure of post contents to authors and contributors
(such as private or draft posts).
* Hardening: Deprecate wp_explain_nonce(), which could reveal unnecessary information.
* Hardening: Require a child theme to be activated with its intended parent only.
Wordpress 3.4:
* Enhanced theme control
* Customize theme options before activating a new theme using Theme Customizer
* Use Theme Previewer to customize current theme without changing the front-end design
* Custom Headers
* Improved Custom Headers with flexible sizes
* Selecting Custom Header Images and Custom Background Images from Media Library Screen
* Media improvements
* Support HTML in image captions
* Under the Hood improvements
* Improvements in WordPress internationalization and localization (more info)
* Different split in translation POT files for faster translations
* Codex XML-RPC information update accessed via XML-RPC_WordPress_API
* WP_Query improvements
Three external libraries included in WordPress received security updates:
* Plupload (version 1.5.4), which WordPress uses for uploading media.
* SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
* SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.
WordPress 3.3.2 also addresses:
* Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances.
* Cross-site scripting vulnerability when making URLs clickable.
* Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs.
Highlights:
* Easier Uploading
- File Type Detection - A single upload button
- Drag-and-Drop Media Uploader
* Dashboard Design
- New Toolbar in the dashboard, combining the Admin Bar and admin
header
- Responsive design for some screens, including iPad/tablet
support
- Flyout menus, providing single-click access to any screen
* New User Experience
- New feature pointers, helping users navigate new features
- Post-update About screen
- Dashboard welcome area for new installs
* Content Tools
- Better co-editing that releases post locks immediately
- Don't lose widgets when switching themes
- Tumblr Importer
* Under the Hood improvements
- Use the postname permalink structure without a performance
penalty
- Improved Editor API
- is_main_query() function and WP_Query method
- Remove a number of funky characters from post slugs
- jQuery 1.7.1 and jQuery UI 1.8.16
- A new Screen API for adding help documentation and adapting to
screen contexts
- Improved metadata API
* Performance improvements and hundreds of bug fixes
More changes at http://codex.wordpress.org/Version_3.3
From the Announcement blog: "This maintenance release fixes a server
incompatibility related to JSON that’s unfortunately affected some of you,
as well as a few other fixes in the new dashboard design and the Twenty
Eleven theme."
Highlights:
* Refreshed Administrative UI - Admin redesign
* New Default Theme "Twenty Eleven" - Uses the latest Theme Features
* Full Screen Editor - Distraction free writing experience
* Extended Admin Bar - More useful links to control the site
* Enhanced Browser Compatibility -
- Drop Internet Explorer 6 support
- Start End-of-life (EOL) cycle for Internet Explorer 7
- Browse Happy notify users of out-of-date browser
* WordPress is Faster and Lighter -
- Faster page loads -- We've gone through the most commonly loaded pages in WP and done improvements to their load time
- Faster Upgrades -- The update system now support incremental upgrades so after 3.2 you'll find upgrading faster than ever
- Optimizations to WP_Filesystem -- Updates over FTP are now much quicker and less error prone
- Stream downloads to the filesystem -- Improves update times and lowers the memory footprint
- Performance improvements for wptexturize()
- Remove PHP4 compatibility including timezone support
- More efficient term intersection queries
- Some optimizations in the HTML sanitizer (kses)
- Speed optimizations for is_serialized_string()
- Cache the Dashboard RSS Widgets HTML output to reduce unnecessary Ajax requests as well as the memory footprint
- And many other improvements and tweaks
Contains also security fixes from wordpress 3.1.4.
* Various security hardening by Alexander Concha.
* Taxonomy query hardening by John Lamansky.
* Prevent sniffing out user names of non-authors by using canonical redirects. Props Verónica Valeros.
* Media security fixes by Richard Lundeen of Microsoft, Jesse Ou of Microsoft, and Microsoft Vulnerability Research.
* Improves file upload security on hosts with dangerous security settings.
* Cleans up old WordPress import files if the import does not finish.
* Introduce "clickjacking" protection in modern browsers on admin and login pages.
* Fix a vulnerability that allowed Contributor-level users to improperly
publish posts.
* Fix user queries ordered by post count.
* Fix multiple tag queries.
* Prevent over-escaping of post titles when using Quick Edit for pages.
This maintenance and security release fixes almost thirty issues in 3.1,
including:
* Some security hardening to media uploads
* Performance improvements
* Fixes for IIS6 support
* Fixes for taxonomy and PATHINFO (/index.php/) permalinks
* Fixes for various query and taxonomy edge cases that caused some plugin
compatibility issues
Version 3.1.1 also addresses three security issues discovered by
WordPress core developers Jon Cave and Peter Westwood, of wordpress's security
team. The first hardens CSRF prevention in the media uploader. The
second avoids a PHP crash in certain environments when handling
devilishly devised links in comments, and the third addresses an XSS
flaw.
Changes:
* Internal Linking - click a button for an internal link and it allows
you to search for a post or browse a list of existing content and select it
for inclusion.
* Admin Bar - contains various links to useful admin screens. By default,
the admin bar is displayed when a user is logged in and visiting the site
and is not displayed in admin screens for single blog installs. For multisite
installs, the admin bar is displayed both when visiting the site and in the
admin screens.
* Streamlined Writing Interface - new users of WordPress will find the write
screen much less cluttered than before, as more of the options are hidden by
default. You can click on Screen Options in the top right to bring them back.
* Post Formats - meta information that can be used by themes to customize
presentation of a post. Read more in the article Post Formats.
* Network Admin - move Super Admin menus and related pages out of the regular
admin and into a new Network Admin screen.
* List-type Admin Screens - sortable columns for list-type screens and better
pagination.
* Exporter/Importer Overhaul - many under the hood changes including adding
author information, better handling for taxonomies and terms, and proper
support for navigation menus.
* Custom Content Type Improvements - allows developers to generate archive
pages, and have better menu and capability controls.
* Advanced Queries - allows developers to query multiple taxonomies and custom
fields.
* Refreshed Blue Admin Color Scheme - puts the focus more squarely on your
content.
More changes at http://codex.wordpress.org/Version_3.1
* Fix XSS bug: Properly encode title used in Quick/Bulk Edit, and offer additional sanitization to various fields. Affects users of the Author or Contributor role.
* Fix XSS bug: Preserve tag escaping in the tags meta box. Affects users of the Author or Contributor role.
* Fix potential information disclosure of posts through the media uploader. Affects users of the Author role.
* Enhancement: Force HTML filtering on comment text in the admin
* Enhancement: Harden check_admin_referer() when called without arguments, which plugins should avoid.
* Update the license to GPLv2 (or later) and update copyright information for the KSES library.
ChangeLog:
* Fix XSS vulnerabilities in the KSES library: Don't be case sensitive to
attribute names. Handle padded entities when checking for bad protocols.
Normalize entities before checking for bad protocols in esc_url().
Fixes issues in the XML-RPC remote publishing interface which under certain circumstances allowed Author- and Contributor-level users to improperly edit, publish or delete posts.
* Fix moderate security issue where a malicious Author-level user could gain further access to the site.
* Remove pingback/trackback blogroll whitelisting feature as it can easily be abused.
* Fix canonical redirection for permalinks containing %category% with nested categories and paging.
* Fix occasional irrelevant error messages on plugin activation.
* Minor XSS fixes in request_filesystem_credentials() and when deleting a plugin.
* Clarify the license in the readme
* Multisite: Fix the delete_user meta capability
* Multisite: Force current_user_can_for_blog() to run map_meta_cap() even for super admins
* Multisite: Fix ms-files.php content type headers when requesting a URL with a query string
* Multisite: Fix the usage of the SUBDOMAIN_INSTALL constant for upgraded WordPress MU installs
While here, set license.
3.0.1:
* Fixed 54 tickets total. A break down of ticket status by component can be found in Trac (http://core.trac.wordpress.org/milestone/3.0.1).
* Added unregister_nav_menu(), for child themes.
3.0:
* WordPress and WordPress MU have merged, allowing the management of multiple sites (called Multisite) from one WordPress installation.
* New default theme "Twenty Ten" takes full advantage of the current features of WordPress.
* New Custom Menu Management feature, allows creation of custom menus combining posts, pages, categories, tags, and links for use in theme menus or widgets.
* Custom Header and Custom Background APIs.
* Contextual help text accessed under the Help tab of every screen in the WordPress administration.
* Ability to set the admin username and password during installation.
* Bulk updating of themes with an automatic maintenance mode during the process.
* Support for Shortlinks.
* Improved Custom Post Types and Custom Taxonomies including hierarchical (category-style) support. (Try the Custom Post Type UI or GD Custom Posts And Taxonomies Tools plugins to see the possibilities.)
* A lighter admin color scheme to increase accessibility and put the focus more squarely on your content.
2.9.2:
* Fixed problem where where logged in users can peek at trashed posts belonging to other authors.
* Fixed other issues
2.9.1:
* Fixed problem where scheduled posts and pingbacks are not processed correctly due to incompatibilities with some hosts
* Fixed other issues
2.9:
User Features
* Trash status for posts, pages, and comments (includes restore and permanent delete)
* Add support for 'include' and 'exclude' to [gallery] (Gallery Shortcode)
* Allow user registration to be enabled by an XMLRPC client
* Add support for sticky posts to the WXR exporter and importer
* 'rel=canonical' for singular pages
* Scroll back to the same location after saving a file in the Plugin and Theme editors
* Correct comments and remove unnecessary echos from the default themes sidebar template file
* Enable the APP (Atom) attachment file download to work correctly
* Support location of category templates based on 'category-slug' as well as 'category-id' (Ticket 10614)
* Support location of tag templates based on 'tag-id' as well as 'tag-slug' (Ticket 10868)
* Support location of page templates based on 'page-slug' and 'page-id'
* Set "Allow my blog to appear in search engines" to checked in installation
* Don't offer to make a category its own parent
* Remove Sphere from search list
* Minify admin CSS
* Show correct max upload filesize error message
* Add 'rel' attribute to next/previous post links
* Make the default and classic themes comment textareas valid XHTML
* Clean up '.button' and '.button[disabled]' CSS classes, add 'spinner' and 'gray-out' buttons after clicking Publish or Update post
* Fix race condition with autosave when clicking Publish immediately after entering post title
* Add Comments for Pages in the WordPress Default theme
* Define '$content_width' for Kubrick
* Better feedback on publishing of future posts and pages
* Display comments in descending date order, consistently
* Add means of automatically repairing tables
* Press This bookmarklet fixes
* Give plugins and themes simple control over the text displayed at the end of an autogenerated Excerpt
* Don't show "Change Permalinks" button when editing the page set as "Front page"
* Image editing
* Retire BunnyTags importer
* Retire Jerome's keywords importer
* Explain that the permalink is temporary for autosave generated permalinks
* Update SimplePie to 1.2
* Eliminate the redundant and confusing comment threading depth of 1
* Easier Embeds with oEmbed support (see Ticket #10337) (oEmbed discovery disabled by default, use plugin to enable it)
* TinyMCE 3.2.7
* Remove rel='tag' on links in Tag Clouds
* Add a title to the Home link output by wp_page_menu()
* Adjust comment moderation keyboard shortcut keys 'd = trash' or delete depending on the screen
* Show "Draft updated" instead of "Post updated" when saving draft
* Show the login form in a popup when autosave hits the login grace period
* Open View/Preview post in a new window from the link in the Saved/Updated message
* Separate fields for 'image alt' and 'image caption' in Media uploader
* Display better information about broken themes when there is no stylesheet
* Improve situation when tables such as wp_options table were 'corrupt' new installation message was offered. Add means of automatically repairing tables
* Export and import custom taxonomies
* Admin copy improvements
* Don't show page templates in the drop down if they are in a subdirectory
* Make codex link open in a new window
* Change 'Remove' link on widgets to 'Delete' because it doesn't just remove it, it deletes the settings for that widget instance.
Development, Themes, Plugins
* Added 'excerpt_more' filter to wp_trim_excerpt() function, which allow developers to change excerpt '[...]' more string (Ticket 10395)
* Add 'smilies_src' filter so plugins can better add smilies
* Canonical redirects for post name queries
* Allow _wp_get_comment_list() to handle custom comment types
* Return an empty array instead of false for get_children() when no children found
* Add some filters so that HTTP requests can be filtered
* Move plugin update notice output to the plugin specific hook
* Limit wp-mail 'blog by email' checks to every 5 minutes
* Make it much easier to filter contact methods from user profiles
* Allow filtering of get_edit_post_link for custom post_type
* 'get_sample_permalink_html' filter
* Enforce activation key to be a string, reject activation keys that are arrays
* Support for new post types
* Respect custom post_type in queries
* Send Retry-After header when in maintenance mode
* Various WP Filesystem related fixes and documentation
* Add constants for ftp connections timeouts
* Increase timeout on cron-based requests when checking for upgrades
* Don't use has_action() before do_action() in http.php
* Speed up jQuery based scripts
* Use the current user as author for autosave
* Show My Posts as default view on the Edit Posts screen for users without 'edit_others_posts' cap
* Ensure that drafts viewed over XMLRPC have a correct gmt date set
* Pass user id to 'get_' the_author_meta filters
* Move _wp_get_user_contactmethods() into the registrations functions file
* Machine parseable db error codes
* Add global JS vars and actions to the media uploader iframe
* Add JSON compat for PHP < 5.2
* Make option_name the primary key for the options table
* Allow a plugin to do a complete takeover of Post by Email
* Logarithmic scale for tag cloud
* Pass Post ID to the 'get_comments_number' filter
* Always filter the url in the media upload form
* Add a 'the_terms' filter
* is_blog_installed() improvements
* Allow force_ssl_admin() to properly accept false as a value
* Pass logged_in cookie to async-upload and filter the cookie scheme in auth_redirect()
* Add more actions around database add/delete/update operations
* phpDoc for wp_"check|set"_post_lock functions
* Use the old strings which are more translator friendly and add a generic default string to aid re-use by plugins adding post_types
* Filter fields through kses upon display and introduce sanitize_user_object() and sanitize_user_field()
* Use null instead of 0 when setting content length
* Include 'hidden' directories in filesystem dirlist by default
* Pass args array to 'wp_list_pages' filter
* Actions for taxonomy updates
* Key should be 'comment_id' not 'post_id' in comments table
* Add get_delete_post_link () to retrieve delete posts link for post
* Add 'separator' parameter to wp_tag_cloud() and wp_generate_tag_cloud() functions (Ticket 10315)
* Added add_comment_meta() family of functions
* Use a post_parent of 0 instead of -1 to indicate unattached posts
* Improve get_page_hierarchy() function
* Deprecate the_content_rss(), add the_content_feed() and get_the_content_feed(). Convert places that called the_content_rss() with an excerpt length to the_excerpt_rss(). Remove the rss_excerpt_length option. Use the_content_feed() where the_content() was previously used in feeds.
* Add 'pad_counts' argument to wp_dropdown_categories()
* Remove codepress
* Remove the php-gettext library
* Canonical post thumbanils
* Add a filter to the_author_posts_link()
* Merge post.js with page.js and slug.js, optimize categories and tags JS, standardize postboxes IDs and JS
* Introduce register_theme_directory() which takes a wp-content-relative path and will additionally scan it for themes. Plugins can use this to add themes without requiring copying by the user
* Add set_user_role action hook
* Allow theme devs to change attrs (like CSS class) of thumbnail images
* Add wp-post-image CSS class to post images
* Allow for plugins to enhance the number of metadata fields captured from plugin and theme headers
* Merge updated pomo code
* Switch to using NOOP_Translations for untranslated sites
* Improve wptexturize performance
* Provide context to the strings in the Plugin and Theme installers to allow for different grammatical gender
* Fixes for theme subdir support
* Introduce wp_kses_post() and wp_kses_data() for filtering unescaped data
* Add 'orderby=comment_count' argument to query_posts()
* Honor Post Type for Sticky Posts
* Allow querying multiple post types
* Introduce add_theme_support(feature) and current_theme_supports(feature) for announcing and checking theme support for various features
* Introduce require_if_theme_supports()
* Add number of Embed related filters
* Add 'IMAGE_EDIT_OVERWRITE' constant to control edited image save or replace, most useful for setups that have dynamic image resizing
* Add load_child_theme_textdomain() to allow child themes to have their own translation files
* Add sidebar descriptions to sidebar settings and widget admin screen
* Make option_id primary. Add uniques for option_name and autoload
* Allow plugins to override the behaviour of load_textdomain() in a variety of flexible ways
* Mark _c() as deprecated. The new _x() function should be used instead.
* Allow plugins to change the redirect on post/page publishing/submitting
* Standardize on 'user_id' instead of 'user_ID' when passing comment data. Accept either 'user_id' or 'user_ID'. Remove 'user_id' global.
* Filter imported comments
* Introducing set_post_image_size(w, h, crop) so themes can register their special size/crop for canonical post images
* Standardize around "post image" instead of "post thumbnail"
* Allow registering post image support per post type
* Return false from is_paged() if on the first page.
* Check MySQL and PHP versions when auto upgrading
* Add required php and mysql versions to version.php
* Hard code required version in update-core.php
PR pkg/42765
- 2.8.5
* Fix for trackback DOS
* Removal of permalink_structure eval
* Remove some create_function() calls
* Disallow unfiltered uploads by default, even for admins. Enable it again with define('ALLOW_UNFILTERED_UPLOADS', true); in wp-config.php
* Add extra escapes here and there for some backside coverage
* Retire two old importers
* A few small bug fixes
- 2.8.6
* Fixed an XSS vulnerability in Press This
* Fixed issue with sanitizing uploaded file names that can be exploited in certain Apache configurations
