HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

WordPress

>

Releases

>

3.1.3

WordPress Release: 3.1.3

Tag Name: 3.1.3

Release Date: 6/12/2011

View Release
WordPress LogoWordPress

World's most popular open-source content management system powering over 40% of all websites. Offers extensive plugin ecosystem, themes, and robust community support for blogs, e-commerce, and corporate websites. Highly customizable and scalable platform suitable for beginners and advanced developers.

Open SourceBloggingWebsite Builder

TL;DR

WordPress 3.1.3 is a security and maintenance release that addresses several important security vulnerabilities and bug fixes. This update focuses on enhancing security by implementing better sanitization of URLs, MIME types, and file names, adding protection against clickjacking attacks, and improving meta query handling. It also includes improvements to plugin management with pagination support for Must-Use and Drop-in plugins.

Highlight of the Release

    • Added X-Frame-Options: SAMEORIGIN header to admin and login pages for clickjacking protection
    • Fixed meta query handling to prevent duplicate posts
    • Added pagination support for Must-Use and Drop-in plugins
    • Improved sanitization of URLs, MIME types, file names, and other user inputs
    • Enhanced attachment handling with new attachment context and security improvements

Migration Guide

No specific migration steps are required for this security and maintenance release. As with any WordPress update, it's recommended to:

  1. Back up your website before updating
  2. Update all sites running WordPress 3.1.x to version 3.1.3 as soon as possible
  3. Test your site functionality after the update

This is a security release that doesn't introduce any breaking changes to existing functionality.

Upgrade Recommendations

Immediate Upgrade Recommended

This release contains important security fixes that protect your WordPress site from potential vulnerabilities. All users running WordPress 3.1.x are strongly encouraged to update to version 3.1.3 immediately.

The security improvements in this release address several potential attack vectors including clickjacking, URL sanitization issues, and attachment handling vulnerabilities. These fixes are critical for maintaining the security of your WordPress installation.

Bug Fixes

Meta Query Fixes

  • Fixed an issue where meta queries would return duplicate posts (props Greuben, fixes #17264)

URL and Redirect Handling

  • Fixed canonical redirect behavior to prevent redirecting from author=x to /author/foo/ when the user is not an author
  • Improved URL escaping with proper implementation of esc_url()
  • Fixed MIME type regular expression anchoring

Plugin Management

  • Moved help text into WP_Plugins_List_Table for better organization (fixes #17327)

oEmbed Improvements

  • Fixed width and height parameter handling in WP_oEmbed::fetch() by casting values to integers, reducing dependency on provider implementations

New Features

Pagination for Must-Use and Drop-in Plugins

WordPress 3.1.3 introduces pagination support for Must-Use (mu-plugins) and Drop-in plugins in the admin interface, making it easier to manage sites with a large number of plugins. This enhancement improves the usability of the plugin management screen.

New Attachment Context

A new attachment context system has been implemented, allowing WordPress to better manage attachments based on their purpose. This is particularly useful for import attachments, which are now marked as private and scheduled for deletion after they're no longer needed.

Security Updates

Protection Against Clickjacking

  • Added X-Frame-Options: SAMEORIGIN header to admin and login pages to prevent clickjacking attacks (related to #12293)

Input Sanitization

  • Enhanced sanitization of GUID values on save and display
  • Improved MIME type sanitization on save and prevented unauthorized changes via edit form handlers
  • Added protection for hidden meta fields
  • Ensured file extensions pass through sanitize_file_name() function
  • Added nonce verification to improve form security

Import Security

  • Import attachments are now marked as private to prevent unauthorized access
  • Added scheduled cleanup job to delete old import attachments automatically
  • Introduced attachment context system to better manage different types of attachments

Performance Improvements

Query Optimization

  • Improved preparation of SQL LIKE queries for better database performance
  • Enhanced meta query handling to prevent duplicate results, which improves both performance and accuracy of queries

Impact Summary

WordPress 3.1.3 is primarily a security-focused release that addresses several important vulnerabilities while also fixing bugs and adding minor enhancements. The security improvements include protection against clickjacking attacks through X-Frame-Options headers, better sanitization of URLs, MIME types, and file names, and enhanced attachment handling with a new context system.

For administrators, the addition of pagination for Must-Use and Drop-in plugins improves the management experience on sites with many plugins. Developers will benefit from fixed meta query handling that prevents duplicate posts and improved sanitization functions. Content creators will experience more reliable oEmbed functionality with better parameter handling.

This release demonstrates WordPress's commitment to security by proactively addressing potential vulnerabilities and improving input sanitization throughout the codebase. While the changes are primarily under-the-hood, they significantly enhance the security posture of WordPress installations.

Statistics:

File Changed26
Line Additions162
Line Deletions64
Line Changes226
Total Commits18

User Affected:

  • Enhanced security protections for admin pages with X-Frame-Options header
  • Improved plugin management with pagination for Must-Use and Drop-in plugins
  • Better protection of hidden meta fields and attachment handling

Contributors:

dd32ryanborennacin