WordPress 5.3.1 was released today with 46 bug fixes and enhancements. Changes include several accessibility improvements and four security vulnerability fixes. The update includes multiple changes to the default Twenty Twenty theme.
Version 5.3.1 is a security and maintenance release. All users are encouraged to update as soon as possible. For those with auto-updates enabled, updates are currently rolling out. All major branches of WordPress from version 3.7 through 5.3 received the new security fixes.
The following security issues were addressed:
- Users without the correct permission (capability) could make a post sticky via the REST API.
- An issue where cross-site scripting (XSS) could be stored in links.
- Hardening the
wp_kses_bad_protocol()function so that it is aware of the named colon attribute. - A stored XSS vulnerability using block editor content.
Most of the release focused on maintenance. Form fields and buttons now have the same height, which should result in a more consistent admin UI. This has long been an issue, but the accessibility changes in WordPress 5.3 highlighted the problem.
A bug with how permalinks were generated with the new Date/Time changes in WordPress 5.3 has been fixed. This left some sites using date-based URLs with incorrect post permalinks.
Other changes include removing support for the CollegeHumor oEmbed provider (the site is no longer available), updating the sodium_compat library, and making sure admin verification emails use the user’s locale instead of the site’s locale. For a full overview of all changes, visit the WordPress 5.3.1 release page.
Accessibility Improvements
Some of the biggest accessibility changes fixed issues with the alternate admin color schemes available in WordPress. The accessibility improvements to buttons in WordPress 5.3 did not get carried over to most of the alternate schemes. Or, rather, those alternate color schemes were not taken into account when the changes went into effect. This left secondary button elements practically unreadable in some cases, which made accessibility worse.
Version 5.3.1 creates a unified design for secondary buttons for every color scheme. It also makes sure that the :active state for buttons are consistent.
Other improvements to accessibility include adding underlines to links on the Dashboard screen that were not clearly links by context, properly disabling nav menu forms when they should not be in use, and adding hover effects for links on the “About” admin screens.
Twenty Twenty Changes
The Twenty Twenty theme launched with JavaScript-based, smooth-scroll behavior for anchor links. This feature did not work correctly in all cases. It also broke anchor links to individual comments when paginated comments were enabled on a site.
Version 1.1 of Twenty Twenty includes CSS-based, smooth-scroll behavior. This greatly simplifies the code by using native behavior. It also works based on the user’s reduced motion setting for their browser, which enhances accessibility for the theme.
The theme update comes packaged with a new option for showing or hiding the post author bio. The setting is available under the “Theme Options” section in the customizer. It is enabled by default and will show the author bio section at the end of every post across the site.
The Twenty Twenty update also includes several bug fixes, most of which were trivial issues.
Hurray to the accessibility fixes for alternate colour schemes! Buttons have been looking bizarre on my dashboard since 5.3.
About the Twenty Twenty theme, it actually uses Times New Roman for post content on Windows, which shows that probably no one on the theme development/testing team ventures outside macOS.