HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

WordPress

>

Releases

>

3.7.32

WordPress Release: 3.7.32

Tag Name: 3.7.32

Release Date: 12/12/2019

View Release
WordPress LogoWordPress

World's most popular open-source content management system powering over 40% of all websites. Offers extensive plugin ecosystem, themes, and robust community support for blogs, e-commerce, and corporate websites. Highly customizable and scalable platform suitable for beginners and advanced developers.

Open SourceBloggingWebsite Builder

TL;DR

WordPress 3.7.32 is a security-focused maintenance release that patches a vulnerability in the wp_kses_bad_protocol() function. This update prevents attackers from bypassing security protocols by using the HTML5 named entity : in URI attributes. This is a critical security fix that affects all WordPress 3.7 installations and should be applied immediately to maintain site security.

Highlight of the Release

    • Security patch for wp_kses_bad_protocol() function to prevent protocol validation bypass
    • Protection against HTML5 named entity : exploitation in URI attributes
    • Backport of security fix from newer WordPress versions to the 3.7 branch

Migration Guide

No migration steps are required for this update. This is a direct security patch that doesn't change any APIs or user-facing functionality. Simply update to WordPress 3.7.32 to apply the security fix.

Upgrade Recommendations

Immediate Upgrade Recommended

All WordPress 3.7 installations should be updated to version 3.7.32 immediately. This security release patches a vulnerability that could potentially be exploited to bypass security measures in WordPress.

While WordPress 3.7 is no longer officially supported with regular updates, this security patch has been backported to protect sites still running on this version. However, for optimal security and functionality, it is strongly recommended to upgrade to the latest supported version of WordPress as soon as possible.

The update process should be straightforward:

  1. Back up your WordPress site
  2. Update to WordPress 3.7.32 through your admin dashboard or via manual update
  3. Verify that the update was successful

No additional configuration changes are needed after updating.

Bug Fixes

Security Bug Fix

This release fixes a security vulnerability in the wp_kses_bad_protocol() function that could allow attackers to bypass protocol validation by using the HTML5 named entity : in URI attributes.

The function is responsible for validating that URI attributes don't contain invalid or disallowed protocols. However, prior to this fix, attackers could potentially bypass this validation by using the : HTML5 named entity instead of a regular colon character, potentially leading to security issues such as XSS attacks.

New Features

No new features were added in this release. WordPress 3.7.32 is strictly a security maintenance release focused on patching a vulnerability in the wp_kses_bad_protocol() function.

Security Updates

Critical Security Fix

WordPress 3.7.32 addresses a significant security vulnerability in the wp_kses_bad_protocol() function:

  • Fixed a security bypass vulnerability where attackers could use the HTML5 named entity : in URI attributes to circumvent protocol validation
  • This could potentially allow malicious protocols to be injected into URI attributes, bypassing WordPress's content sanitization
  • The vulnerability could be exploited to perform cross-site scripting (XSS) attacks in certain contexts
  • This fix ensures that the : HTML5 named entity is properly recognized and handled during protocol validation

This security patch was originally implemented in newer WordPress versions and has been backported to the 3.7 branch to protect sites still running on this version.

Performance Improvements

No specific performance improvements were included in this release. The update focuses exclusively on addressing the security vulnerability in the wp_kses_bad_protocol() function.

Impact Summary

WordPress 3.7.32 addresses a security vulnerability that could allow attackers to bypass protocol validation in the wp_kses_bad_protocol() function by using the HTML5 named entity : in URI attributes. This is a critical security fix that helps protect WordPress sites from potential cross-site scripting (XSS) attacks.

The impact of this vulnerability is significant as it affects a core WordPress security function used to sanitize content and prevent malicious code injection. By updating to version 3.7.32, site administrators ensure that this potential attack vector is closed.

While this update is crucial for sites running WordPress 3.7, it's important to note that this branch is quite old and no longer receives regular updates. This security patch was specifically backported to protect legacy installations, but users should strongly consider upgrading to a current, fully-supported WordPress version for comprehensive security coverage.

Statistics:

File Changed5
Line Additions45
Line Deletions3
Line Changes48
Total Commits3

User Affected:

  • Need to update their WordPress 3.7 installations to version 3.7.32 immediately
  • Should verify that the security patch has been successfully applied
  • May need to check for any potential exploits that could have occurred before updating

Contributors:

SergeyBiryukov