WordPress 4.6.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin; and a path traversal vulnerability in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team.
Thank you to the reporters for practicing responsible disclosure.
Download WordPress 4.6.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.6.1.
Thanks to everyone who contributed to 4.6.1:
Andrew Ozz, bonger, Boone Gorges, Chaos Engine, Daniel Kanchev, Dion Hulse, Drew Jaynes, Felix Arntz, Fredrik Forsmo, Gary Pendergast, geminorum, Ian Dunn, Ionut Stanciu, Jeremy Felt, Joe McGill, Marius L. J. (Clorith), Pascal Birchler, Robert D Payne, Sergey Biryukov, and Triet Minh.
Version 4.6 of WordPress, named “Pepper” in honor of jazz baritone saxophonist Park Frederick “Pepper” Adams III, is available for download or update in your WordPress dashboard. New features in 4.6 help you to focus on the important things while feeling more at home.Streamlined Updates
Don’t lose your place: stay on the same page while you update, install, and delete your plugins and themes.Native Fonts
The WordPress dashboard now takes advantage of the fonts you already have, making it load faster and letting you feel more at home on whatever device you use.Editor Improvements Inline Link Checker
Ever accidentally made a link to https://wordpress.org/example.org? Now WordPress automatically checks to make sure you didn’t.Content Recovery
As you type, WordPress saves your content to the browser. Recovering saved content is even easier with WordPress 4.6.Under The Hood Resource Hints
Resource hints help browsers decide which resources to fetch and preprocess. WordPress 4.6 adds them automatically for your styles and scripts making your site even faster.Robust Requests
The HTTP API now leverages the Requests library, improving HTTP standard support and adding case-insensitive headers, parallel HTTP requests, and support for Internationalized Domain Names.WP_Term_Query and WP_Post_Type
The Meta Registration API has been expanded to support types, descriptions, and REST API visibility.Translations On Demand
Masonry 3.3.2, imagesLoaded 3.2.0, MediaElement.js 2.22.0, TinyMCE 4.4.1, and Backbone.js 1.3.3 are bundled.Customizer APIs for Setting Validation and Notifications
Settings now have an API for enforcing validation constraints. Likewise, customizer controls now support notifications, which are used to display validation errors instead of failing silently.Multisite, now faster than ever
This release was led by Dominik Schilling, backed up by Garth Mortensen as Release Deputy, and with the help of these fine individuals. There are 272 contributors with props in this release. Pull up some Pepper Adams on your music service of choice, and check out some of their profiles:A5hleyRich, Aaron Jorbin, achbed, Adam Silverstein, Adam Soucie, Adriano Ferreira, afineman, Ahmad Awais, aidvu, Aki Björklund, Alex Concha, Alex Dimitrov, Alex King, Alex Mills (Viper007Bond), alexvandervegt, Alice Brosey, Ana Aires, Andrea Fercia, Andrea Gandino, Andrew Nacin, Andrew Ozz, Andrew Rockwell, Andy Fragen, Andy Meerwaldt, Andy Skelton, Anil Basnet, Ankit K Gupta, anneschmidt, Antti Kuosmanen, Arunas Liuiza, Barry, Barry Ceelen, bassgang, Bernhard Kau, Birgir Erlendsson (birgire), bobbingwide, Boone B. Gorges, Brad Touesnard, Brandon Kraft, brianvan, Bruno Borges, Bryan Petty, Bryan Purcell, Chandra Patel, Chouby, Chris Christoff (chriscct7), Chris Mok, Chris Olbekson, Christoph Herr, Christopher Finke, Cliff Seal, clubduece, cmillerdev, Craig Ralston, crstauf, dabnpits, Daniel Bachhuber, Daniel Hüsken, Daniele Scasciafratte, dashaluna, davewarfel, David A. Kennedy, David Anderson, David Brumbaugh, David Cavins, David Herrera, David Mosterd, David Shanske, Derek Herman, Devin Price, Dion Hulse, Doug Wollison, Drew Jaynes, Ella Iseulde Van Dorpe, elrae, Eric Andrew Lewis, Erick Hitter, Fabien Quatravaux, Faison, Felix Arntz, flyingdr, FolioVision, francescobagnoli, Frank Bueltge, Frank Klein, Frank Martin, Fredrik Forsmo, Gabriel Koen, Gabriel Maldonado, Gary Pendergast, gblsm, Geeky Software, George Stephanis, Hardeep Asrani, Helen Hou-Sandí, Henry Wright, Hugo Baeta, Iain Poulson, Ian Dunn, Ignacio Cruz Moreno, imath, Inderpreet Singh, Ipstenu (Mika Epstein), J.D. Grimes, James Huff, James Nylen, Janne Ala-Äijälä, Jasper de Groot, javorszky, Jeff Farthing, Jeffrey de Wit, Jeremy Felt, Jeremy Green, Jeremy Herve, Jeremy Ward, Jerry Bates (jerrysarcastic), Jesin A, Jip Moors, Joe Dolson, Joe Hoyle, Joe McGill, Joel Williams, Johan Falk, John Blackbourn, John James Jacoby, John P. Green, John_Schlick, Jon (Kenshino), Jonathan Brinley, Jonny Harris, Joost de Valk, Joseph Scott, Josh Pollock, Joshua Goodwin, jpdavoutian, jrf, jsternberg, Juanfra Aldasoro, Juhi Saxena, julesaus, Justin Sainton, Kelly Dwan, Kevin Hagerty, Kite, kjbenk, Konstantin Kovshenin, Konstantin Obenland, Kurt Payne, Laurens Offereins, Luke Cavanagh, Lutz Schröer, Marcel Pol, Marius L. J. (Clorith), Mark Jaquith, Mark Uraine, martin.krcho, Matt Miklic, Matt Mullenweg, Matthew Batchelder, mattyrob, Mayeenul Islam, mdwheele, medariox, Mehul Kaklotar, Meitar, Mel Choyce, Michael, Michael Arestad, Michael Arestad, Michael Beil, Mike Bijon, Mike Hansen, Mike Schroder, Milan Dinić, Morgan Estes, moto hachi ( mt8.biz ), Mustafa Uysal, Nícholas André, Nextendweb, Niall Kennedy, Nick Halsey, Nikhil Chavan, Nilambar Sharma, Ninos, Noah, noahsilverstein, odyssey, ojrask, Olar Marius, ovann86, pansotdev, Pascal Birchler, Paul Bearne, Paul Wilde, pavelevap, pcarvalho, Peter Westwood, Peter Wilson, PeterRKnight, Petter Walbø Johnsgård, Petya Raykovska, Pieter, Pollett, postpostmodern, Presskopp, prettyboymp, r-a-y, Rachel Baker, rafaelangeline, raffaella isidori, Rahul Prajapati, Rami Yushuvaev, Rian Rietveld , Richard Tape, Robin Cornett, Rodrigo Primo, Ronald Huereca, Ruud Laan, Ryan McCue, Ryan Welcher, Sören Wrede, Samantha Miller, Samir Shah, Sara Rosso, schlessera, Scott Basgaard, Scott Kingsley Clark, Scott Reilly, Scott Taylor, screamingdev, Sebastian Pisula, semil, Sergey Biryukov, shahpranaf, Sidati, Silvan Hagen, Simon Vikström, sirjonathan, smerriman, southp, Stanko Metodiev, Stephane Daury (stephdau), Stephen, Stephen Edgar, Stephen Harris, Steven Word, stubgo, Sudar Muthu, Swapnil V. Patil, Taco Verdonschot, Takashi Irie, Tammie Lister, Taylor Lovett, theMikeD, thomaswm, Thorsten Frommen, Timothy Jacobs, tloureiro, Travis Northcutt, Ulrich, Unyson, Viktor Szépe, Vishal Kakadiya, vortfu, vovafeldman, websupporter, Weston Ruter, wp_smith, wpfo, Xavi Ivars, Yoav Farhi, Zack Tollman, and zakb8.
Finally, thanks to all the community translators who worked on WordPress 4.6. Their efforts make it possible to use WordPress 4.6 in 52 languages. The WordPress 4.6 release video has been captioned into 43 languages.
The second release candidate for WordPress 4.6 is now available.
We’ve made over 30 changes since the first release candidate. RC means we think we’re done, but with millions of users and thousands of plugins and themes, it’s possible we’ve missed something. We hope to ship WordPress 4.6 on Tuesday, August 16, but we need your help to get there.
If you haven’t tested 4.6 yet, now is the time!
A few changes of note since the first release candidate:
- Support for custom HTTP methods and proxy authentication has been restored.
- Unnecessary reference parameters have been removed from new multisite functions.
- A compatibility issue with PHP 7.0.9 (and PHP 7.1) has been fixed.
Developers, please test your plugins and themes against WordPress 4.6 and update your plugin’s Tested up to version in the readme to 4.6. If you find compatibility problems please be sure to post to the support forums so we can figure those out before the final release – we never want to break things.
Be sure to read the in-depth field guide, a post with all the developer-focused changes that take place under the hood.
Translators, strings are now frozen, including the About Page, so you are clear to translate! Help us translate WordPress into more than 100 languages!
The verdict is in,
Can I haz all the features,
Your best WordPress yet.