WordPress Release: 3.7.4

TL;DR

WordPress 3.7.4 is a security-focused maintenance release that addresses several important vulnerabilities. This update implements constant-time verification for nonces, disables external entities in ID3 tags and XML-RPC requests, improves password reset security, and enhances avatar display safety through proper escaping. These changes significantly improve WordPress's resistance to timing attacks, XML external entity (XXE) vulnerabilities, and potential cross-site scripting issues.

Highlight of the Release

• Implementation of constant-time verification for WordPress nonces to prevent timing attacks
• Disabled external entities in ID3 tag processing to prevent XXE vulnerabilities
• Enhanced password reset security by improving key handling
• Improved escaping in the get_avatar() function to prevent potential XSS issues
• Added protection against XML external entity attacks in XML-RPC requests

Migration Guide

No specific migration steps are required for this security update. Site administrators should update to WordPress 3.7.4 as soon as possible to protect their sites from the security vulnerabilities addressed in this release.

If you're using custom code that interacts with nonces, password resets, ID3 tag processing, avatars, or XML-RPC functionality, you should test your code after updating to ensure compatibility, though no issues are expected for standard implementations.

Upgrade Recommendations

Immediate Upgrade Recommended

This release contains critical security fixes that protect WordPress sites from several vulnerabilities. All WordPress site administrators should update to version 3.7.4 immediately.

The security improvements in this release address important vulnerabilities related to:

• Timing attacks on nonce verification
• XML external entity (XXE) attacks through ID3 tags and XML-RPC
• Password reset security
• Cross-site scripting prevention in avatar display

These security fixes are essential for maintaining the security of your WordPress installation. The update process should be smooth and without complications as this is a maintenance release focused on security fixes rather than feature changes.

Bug Fixes

Security Bug Fixes

• Constant-time Implementation for wp_verify_nonce(): Fixed a potential timing attack vulnerability by implementing constant-time verification for WordPress nonces.

• External Entity Handling in ID3: Disabled external entities in ID3 tag processing to prevent XML external entity (XXE) attacks when processing media files.

• Password Reset Security: Improved the password reset functionality to handle reset keys more securely, preventing potential exposure of sensitive information. Props to mdawaffe. Fixes #29060.

• Avatar Display Security: Enhanced the get_avatar() function to properly escape output, preventing potential cross-site scripting (XSS) vulnerabilities.

• XML-RPC Request Handling: Added protection against XML external entity attacks in XML-RPC requests by ignoring entities. Props to mdawaffe and nacin.

• Nonce Hash Building: Improved security by using delimiters when building nonce hashes, as a follow-up to the constant-time nonce verification changes.

New Features

No new features were introduced in this release. WordPress 3.7.4 is focused entirely on security improvements and bug fixes to address specific vulnerabilities.

Security Updates

Critical Security Improvements

• Protection Against Timing Attacks: Implemented constant-time verification for WordPress nonces, preventing attackers from using timing differences to determine valid nonces.

• XXE Vulnerability Mitigation: Disabled external entities in both ID3 tag processing and XML-RPC requests, preventing XML external entity (XXE) attacks that could lead to server-side request forgery, port scanning, or denial of service.

• Password Reset Security Enhancement: Improved the handling of password reset keys to prevent potential exposure in URLs or logs, enhancing overall authentication security.

• XSS Prevention: Enhanced escaping in the get_avatar() function to prevent potential cross-site scripting attacks through avatar display.

• Nonce Security Hardening: Added delimiters when building nonce hashes to further strengthen the security of WordPress's nonce system against potential attacks.

Performance Improvements

Performance and Security Balance

The constant-time implementation for wp_verify_nonce() represents both a security improvement and a performance consideration. While constant-time algorithms may not be faster, they provide critical protection against timing attacks by ensuring that the verification process takes the same amount of time regardless of whether the nonce is valid or not. This prevents attackers from using timing differences to determine valid nonces.

Impact Summary

WordPress 3.7.4 is a security-focused maintenance release that significantly improves the platform's resistance to several types of attacks. By implementing constant-time verification for nonces, WordPress is now better protected against timing attacks that could potentially compromise authentication. The disabling of external entities in both ID3 tag processing and XML-RPC requests closes important XML external entity (XXE) vulnerability vectors that could have been exploited for server-side attacks.

The improvements to password reset functionality and avatar display escaping further enhance WordPress's defense against common web vulnerabilities. These changes collectively represent an important hardening of WordPress core security without introducing any breaking changes or requiring migration efforts.

While this release doesn't introduce new features, its security improvements are crucial for all WordPress installations. The changes are particularly important for sites that handle sensitive user data or are high-value targets for attackers.