Drupal Release: 4.5.8

TL;DR

WordPress 4.5.8 is a security release that addresses multiple vulnerabilities including custom menu item access control, XSS issues with usernames, email header injection, and session fixation. This update is critical for maintaining the security of your WordPress installation and protecting your site from potential attacks.

Highlight of the Release

• Fixed security vulnerability allowing unauthorized access to custom menu items
• Patched XSS vulnerabilities related to username handling
• Addressed email header injection vulnerability
• Fixed session fixation security issue

Migration Guide

No special migration steps are required for this update. However, as with any security update, it's recommended to:

1. Back up your WordPress site before updating
2. Update to version 4.5.8 as soon as possible
3. Test your site functionality after the update, particularly any features related to:
   • Custom menus
   • User profile displays
   • Email functionality
   • User sessions and authentication

If you're using plugins that extend or modify WordPress's menu system, user management, or email functionality, verify that they continue to work correctly after the update.

Upgrade Recommendations

Immediate Update Strongly Recommended

This is a critical security release that addresses multiple vulnerabilities that could be exploited to compromise your WordPress site. All WordPress site owners should update to version 4.5.8 immediately.

The security issues fixed in this release affect core WordPress functionality related to user access control, cross-site scripting protection, session management, and email handling. These vulnerabilities could potentially be exploited to gain unauthorized access, inject malicious code, hijack user sessions, or send spoofed emails.

If you cannot update immediately, consider implementing additional security measures such as a web application firewall until you can complete the update.

Bug Fixes

This release includes four important security fixes:

Custom Menu Item Access Control (SA-2006-001)

Fixed a vulnerability where custom menu items were accessible to unauthorized users, potentially allowing access to restricted content or functionality.

XSS Protection for Usernames (SA-2006-002)

Addressed cross-site scripting (XSS) vulnerabilities related to the display and handling of usernames, preventing potential script injection attacks.

Email Header Injection (SA-2006-004)

Fixed an issue that could allow malicious users to inject additional email headers, potentially enabling email spoofing or other email-based attacks.

Session Fixation (SA-2006-003)

Resolved a session fixation vulnerability that could allow attackers to hijack user sessions under certain circumstances.

New Features

No new features were introduced in this release. WordPress 4.5.8 is focused entirely on security fixes to address specific vulnerabilities identified in previous versions.

Security Updates

WordPress 4.5.8 addresses four significant security vulnerabilities:

SA-2006-001: Custom Menu Items Access Control

Fixed a vulnerability where custom menu items could be accessed by unauthorized users, potentially exposing restricted content or administrative functions.

SA-2006-002: XSS Issues with Username

Patched cross-site scripting vulnerabilities related to username display and processing. This prevents attackers from injecting malicious scripts through specially crafted usernames.

SA-2006-003: Session Fixation Issue

Resolved a session fixation vulnerability that could allow attackers to set a user's session identifier and potentially hijack their session after they log in.

SA-2006-004: Email Header Injection

Fixed an email header injection vulnerability that could allow attackers to add additional headers to emails sent by WordPress, potentially enabling email spoofing or other email-based attacks.

Performance Improvements

No specific performance improvements were included in this release. The focus was entirely on addressing critical security vulnerabilities.

Impact Summary

WordPress 4.5.8 is a security-focused release that addresses four distinct vulnerabilities that could potentially be exploited to compromise WordPress sites. By fixing issues with custom menu access control, XSS vulnerabilities in username handling, email header injection, and session fixation, this update significantly improves the security posture of WordPress installations.

The impact of these fixes is primarily positive, as they close security holes without changing core functionality. Site administrators should notice no changes to normal site operation after updating, but will benefit from improved protection against several attack vectors.

This update is particularly important for sites that:

• Use custom menu items for navigation
• Have public user registration enabled
• Send emails through WordPress
• Have multiple user roles and access restrictions

While no new features are introduced, the security improvements make this an essential update for all WordPress installations.