WordPress Release: 3.7.22

TL;DR

WordPress 3.7.22 is a security-focused maintenance release that addresses several vulnerabilities in the core platform. This update includes important security hardening for the database API, editor, filesystem handling, and user management components. It prevents potential XSS attacks, improves URL handling, and strengthens input validation throughout the system.

Highlight of the Release

• Security hardening for wpdb::prepare() to prevent SQL injection vulnerabilities
• Prevention of javascript: and data: URLs in the inline link dialog to block XSS attacks
• Improved URL validation and escaping throughout the admin interface
• Enhanced filesystem security when handling zip files

Migration Guide

No migration steps are required for this update. This is a security release that maintains backward compatibility with existing WordPress installations.

However, developers should note that the wpdb::prepare() method now more strictly enforces its documented behavior:

• Only %s, %d, and %F placeholders are supported
• Additional values passed beyond those needed for placeholders will be ignored
• Non-escaped % characters in the query string will be automatically escaped

If your custom code relies on undocumented behavior of wpdb::prepare(), you may need to update it to comply with the documented API.

Upgrade Recommendations

Immediate Upgrade Recommended

This release contains important security fixes that protect your WordPress site from potential vulnerabilities. All WordPress site owners should upgrade to version 3.7.22 immediately.

If you're running an older version of WordPress, consider updating to the latest version (beyond 3.7.22) for additional security improvements and features. WordPress 3.7 is quite old, and newer major versions provide significant enhancements to security, performance, and functionality.

Bug Fixes

Security Fixes and Bug Fixes

• Fixed an issue in the editor that allowed adding potentially malicious javascript: and data: URLs through the inline link dialog
• Added a fallback mechanism for incorrect HTTP referrers in user management
• Fixed URL-encoding issues for plugin and template names displayed in the admin area
• Addressed potential security issues with malformed file paths during unzipping operations
• Fixed inconsistencies in wpdb::prepare() to properly handle placeholders according to documentation
• Improved handling of null values in database queries to prevent unnecessary warnings
• Enhanced URL escaping in user management functions

New Features

No new features were added in this release. WordPress 3.7.22 is focused on security improvements and bug fixes to the existing functionality.

Security Updates

Security Enhancements

• Editor Security: Prevented the addition of potentially malicious javascript: and data: URLs through the inline link dialog, closing a potential XSS vulnerability
• Database Hardening: Multiple improvements to wpdb::prepare() to prevent SQL injection:
  • Enforced stricter handling of placeholders (%s, %d, and %F)
  • Prevented additional values from being processed when arrays are passed
  • Escaped any non-placeholder percentage signs in query strings
• Filesystem Protection: Enhanced validation of filenames before unzipping to prevent directory traversal attacks
• Admin Interface Hardening: Added URL-encoding and additional security measures for plugin and template names displayed in the admin area
• User Management: Improved URL escaping and added a fallback for incorrect HTTP referrers

Performance Improvements

This release does not contain any specific performance improvements. The changes are primarily focused on security enhancements and bug fixes.

Impact Summary

WordPress 3.7.22 is a security-focused maintenance release that addresses several potential vulnerabilities in the WordPress core. The changes primarily affect how WordPress handles URLs, database queries, and file operations.

The most significant impact is on the database API, where wpdb::prepare() has been hardened to prevent SQL injection attacks by enforcing stricter handling of placeholders and values. This may affect custom code that relies on undocumented behavior of this function.

The editor now prevents potentially malicious URL schemes (javascript: and data:) in the inline link dialog, protecting sites from cross-site scripting (XSS) attacks. Additional URL validation and escaping has been implemented throughout the admin interface.

Filesystem operations have been improved to validate filenames before unzipping, preventing potential directory traversal attacks. The admin area also received security enhancements for displaying plugin and template names.

These changes are defensive in nature and should not affect normal site operation, but they significantly improve WordPress's resistance to common attack vectors.