WordPress Release: 3.7.35

TL;DR

WordPress 3.7.35 is a security and maintenance release that addresses several important security vulnerabilities and improves error handling across multiple components. This update focuses on enhancing security for XML-RPC functionality, fixing deserialization issues in external libraries, improving error messages, and ensuring proper privilege checks throughout the system. The release also includes backward compatibility improvements for screen options in the admin area.

Highlight of the Release

• Enhanced security for XML-RPC functionality with improved error messages and validation
• Disabled deserialization in Requests_Utility_FilteredIterator to prevent potential attacks
• Added backward compatibility for screen options in the admin area
• Disabled embeds on deactivated Multisite sites
• Improved privilege checks for theme background image settings

Migration Guide

No significant migration steps are required for this update. This is primarily a security and maintenance release that should be applied as soon as possible.

If you're a developer who has implemented custom screen option handling using the set-screen-option filter, your code should continue to work as expected due to the backward compatibility measures. However, for more granular control, you may want to update your code to use the new set_screen_option_{$option} filter.

Upgrade Recommendations

Immediate Upgrade Recommended

This release contains several important security fixes that address vulnerabilities in XML-RPC functionality, external libraries, and privilege checks. All WordPress site owners should upgrade to version 3.7.35 immediately to protect their sites from potential security threats.

The update is focused on security and maintenance improvements with minimal risk of breaking existing functionality due to the careful attention to backward compatibility.

Bug Fixes

Administration

• Fixed backward compatibility issues with screen options by passing the result of set-screen-option filter to the new set_screen_option_{$option} filter
• Renamed the $keep parameter to $screen_option in both filters for better clarity
• Updated documentation to better reflect the purpose of these filters

XML-RPC

• Improved error messages for unprivileged users to prevent information disclosure
• Fixed handling of incorrect attachment IDs to return proper error messages

Meta

• Fixed meta key handling by ensuring proper sanitization before checking protection status

Themes

• Fixed a security issue where non-privileged users could potentially set background images when a theme was using the deprecated custom background page

Installation

• Improved logic check when determining installation status to prevent potential issues during upgrades

New Features

New Filter for Screen Options

A new filter set_screen_option_{$option} has been added to provide more granular control over screen options in the admin area. This filter works alongside the existing set-screen-option filter to ensure backward compatibility while offering more specific control over individual screen options.

Security Updates

XML-RPC Security

• Improved error messages for unprivileged users to prevent potential information disclosure
• Enhanced validation of attachment IDs to prevent unauthorized access

External Libraries

• Disabled deserialization in Requests_Utility_FilteredIterator to prevent potential object injection attacks

Embeds

• Disabled embeds on deactivated Multisite sites to prevent potential misuse

Escaping Functions

• Modified escaping functions to avoid potential false positives that could lead to security issues

Theme Background Images

• Fixed a security vulnerability where non-privileged users could potentially set background images when a theme was using the deprecated custom background page

Meta Protection

• Enhanced sanitization of meta keys before checking protection status to prevent potential bypass of protection mechanisms

Performance Improvements

Error Handling

• Improved error handling and messaging across multiple components, particularly in XML-RPC functionality
• Enhanced validation checks to prevent unnecessary processing of invalid requests

Impact Summary

WordPress 3.7.35 is primarily a security-focused release that addresses multiple vulnerabilities across different components of the CMS. The most significant changes involve hardening the XML-RPC functionality, preventing deserialization attacks in external libraries, improving privilege checks, and enhancing error handling.

For administrators and site owners, this update provides important security enhancements without requiring any significant changes to existing workflows or configurations. The improvements to screen options handling in the admin area maintain backward compatibility while offering developers more granular control through a new filter.

For developers, the renamed parameters in screen option filters provide better clarity, though existing code will continue to work due to backward compatibility measures. The modifications to escaping functions help avoid false positives that could potentially lead to security issues.

Multisite administrators will benefit from improved security through the disabling of embeds on deactivated sites and better handling of attachment IDs in XML-RPC requests.

Overall, this release represents an important security update that should be applied promptly to all WordPress installations to maintain site security and integrity.