Is your website already running the latest version of WordPress? We are talking about WordPress 5.6, also known as the Nina Simone update. This is the final major release of the content management system planned for 2020, and it was released on December 8.
The update comes with many new features and minor enhancements, and bug fixes. However, security researchers from Wordfence warn that some of the changes could have “immediate implications for security and compatibility”.
WordPress 5.6 Release Implications
One of the new features introduced in the latest WP version allows external apps to request permissions to connect to a site. For this purpose, a password specific to the app is generated. The feature enables the user to perform actions via the WordPress REST API, creating issues.
“Unfortunately, socially engineering a site administrator into granting application passwords to a malicious application is trivial,” Wordfence warns. How can this new feature be exploited? By tricking a site owner into clicking a link that requests an application password and then naming the malicious app.
As the application password request URL sends the new password to the requester’s site using a redirect URL, there is more to worry about.
“Since application passwords function with the permissions of the user that generated them, an attacker could use this to gain control of a website,” the researchers explain. They even made a video demonstration of how application passwords can be abused via social engineering.
Perhaps you have noticed that the jQuery Migrate script was removed in WP 5.5, causing many issues for plugins using older jQuery versions. As a workaround, many websites started using the Enable jQuery Migrate Helper plugin. If your site is one of them, you should check if it can function without updating it to version 5.6. Why do you need to check beforehand? Because the latest WordPress release updates to the jQuery version, adding jQuery 3.3.2. This can create a conflict with the version re-enabled by the Helper plugin.
With the latest WP release, you may have compatibility issues with PHP 8, as it is only “beta compatible.” Plugin authors, in particular, may have challenges in terms of compatibility. If your website uses plugins, you may not be ready to update to PHP 8. However, if you’re just creating a website, “you’ll be able to get ahead of many issues by starting with the latest version of PHP and WordPress,” as Wordfence puts it.
From version 5.6 on, all new WordPress installations will receive automatic updates for major versions. A new site running on version 5 will be automatically updated to 5.7 once it is available. This may cause various issues, but the most likely ones will be with incompatible plugins. Fortunately, brand new websites will be less impacted.
The possible issues we covered in this article (based on Wordfence’s report) doesn’t mean you won’t experience other problems. However, these are the most relevant for users. Deciding to update to WordPress 5.6 depends on your use case. The latest release offers significant new additions, and even if they turn out to be troublesome, developers will eventually fix them.