WordPress Release: 3.7.21

TL;DR

WordPress 3.7.21 Release

This maintenance release focuses on security improvements for WordPress 3.7. It includes several important security fixes that address potential vulnerabilities in XML-RPC, post meta handling, customizer sessions, file system credentials, and media uploads. These updates are critical for maintaining the security posture of WordPress 3.7 installations, even though this is an older branch of WordPress.

Highlight of the Release

• Added whitelist for post arguments in XML-RPC to enhance security
• Improved post meta validation checks
• Added nonce verification for file system credential updates
• Enhanced error handling for media uploads
• Fixed invalid customization session handling

Migration Guide

No specific migration steps are required for this update. This is a maintenance release that focuses on security improvements and can be applied directly to existing WordPress 3.7 installations.

However, it's important to note that WordPress 3.7 is an older branch, and users are strongly encouraged to upgrade to the latest WordPress version for the most comprehensive security protection and feature set.

Upgrade Recommendations

This update is highly recommended for all WordPress 3.7 users due to the security fixes included. The security enhancements address several potential vulnerabilities that could be exploited if left unpatched.

While upgrading within the 3.7 branch is important if you must remain on this version, the WordPress team strongly recommends upgrading to the latest WordPress major version for the most comprehensive security protection, bug fixes, and feature improvements.

Upgrade Priority: High (Security Release)

Backup Recommendation: As with any WordPress update, it's recommended to backup your site before upgrading, even for maintenance releases.

Bug Fixes

• Customizer Sessions: Fixed an issue where invalid customization sessions were not being properly ignored, which could lead to unexpected behavior in the theme customizer.

• Media Upload Errors: Simplified and improved the construction of error messages during media uploads, providing clearer feedback when uploads fail.

• Post Meta Handling: Adjusted post meta checks to improve validation and prevent potential security issues related to meta data manipulation.

New Features

No new features were added in this maintenance release. WordPress 3.7.21 focuses exclusively on security enhancements and bug fixes for the 3.7 branch.

Security Updates

• XML-RPC Security Enhancement: Implemented a whitelist for post arguments in XML-RPC to prevent potential abuse of the XML-RPC interface. This restricts the post arguments that can be passed through XML-RPC calls to only those that are necessary and expected.

• File System Credentials Protection: Added nonce verification for updating file system credentials, preventing cross-site request forgery (CSRF) attacks when WordPress needs to request credentials for file operations.

• Post Meta Validation: Strengthened validation checks for post meta operations to prevent potential security vulnerabilities related to unauthorized meta data manipulation.

• Customizer Session Handling: Improved security by properly ignoring invalid customization sessions, preventing potential exploitation of the theme customizer.

Performance Improvements

No specific performance improvements were included in this release. The changes were primarily focused on security enhancements rather than performance optimizations.

Impact Summary

WordPress 3.7.21 is a security-focused maintenance release that addresses several potential vulnerabilities in the WordPress 3.7 branch. The changes primarily affect the security of XML-RPC functionality, post meta handling, customizer sessions, file system credential management, and media uploads.

This release is particularly important for sites still running WordPress 3.7, as it patches security issues that could potentially be exploited. The security enhancements provide better protection against unauthorized access and potential attack vectors without changing the core functionality or user experience of WordPress 3.7.

While this update is crucial for sites running WordPress 3.7, it's worth noting that this is an older branch of WordPress, and users would benefit significantly from upgrading to the latest WordPress version for comprehensive security protection and access to newer features.