WordPress Release: 2.8.6

TL;DR

WordPress 2.8.6 is a security-focused maintenance release that addresses critical vulnerabilities including an XSS issue in Press This and improves file upload security by sanitizing filenames with multiple extensions. This update is essential for all WordPress 2.8.x users to protect their sites from potential security exploits.

Highlight of the Release

• Fixed XSS vulnerability in the Press This feature
• Improved file upload security by sanitizing filenames with multiple extensions
• Fixed MIME type checking for file uploads

Migration Guide

No specific migration steps are required for this update. This is a maintenance release that focuses on security fixes and can be applied through the standard WordPress update process.

To update:

1. Back up your WordPress site (files and database)
2. Use the automatic update feature in your WordPress dashboard
3. Alternatively, download the update from wordpress.org and perform a manual update

No database schema changes or template modifications are included in this release.

Upgrade Recommendations

Immediate upgrade strongly recommended for all WordPress 2.8.x users.

This release contains important security fixes that protect your site from potential vulnerabilities. The security improvements address XSS vulnerabilities and file upload security issues that could be exploited by malicious actors.

Given the security-focused nature of this release, all WordPress 2.8.x installations should be updated as soon as possible to maintain site security and integrity.

Bug Fixes

• Fixed an issue with MIME type checking for file uploads where empty checks were not properly handled
• Improved line ending handling with proper EOL style settings
• Various minor bug fixes and improvements to maintain compatibility and stability

New Features

No significant new features were introduced in this maintenance release. WordPress 2.8.6 focuses primarily on security fixes and bug corrections to improve the stability and security of the platform.

Security Updates

• XSS Vulnerability in Press This: Fixed a cross-site scripting vulnerability in the Press This bookmarklet feature that could potentially allow attackers to inject malicious scripts (props to Benjamin Flesch for reporting this issue, fixes #11119)
• Multiple Extension File Upload Security: Improved security by sanitizing filenames with multiple extensions to prevent potential security exploits through malicious file uploads (fixes #11122)
• Enhanced MIME Type Validation: Strengthened the file upload security by improving MIME type validation checks

Performance Improvements

No specific performance improvements were highlighted in this release. WordPress 2.8.6 is primarily focused on security enhancements and bug fixes rather than performance optimizations.

Impact Summary

WordPress 2.8.6 is a security maintenance release that addresses important vulnerabilities that could potentially be exploited by attackers. The most significant impact is the patching of an XSS vulnerability in the Press This feature and improvements to file upload security by properly sanitizing filenames with multiple extensions.

These security enhancements significantly improve the overall security posture of WordPress sites, particularly protecting against common attack vectors like cross-site scripting and malicious file uploads. While the changes are primarily under-the-hood security improvements, they are critical for maintaining site integrity and protecting user data.

Site administrators should prioritize this update to ensure their WordPress installations are protected against these known security issues. The update process is straightforward and doesn't introduce any breaking changes, making it a low-risk, high-reward maintenance update.