WordPress Release: 3.7.40

TL;DR

WordPress 3.7.40 Security Release

This maintenance release includes several important security fixes and introduces new strings to indicate security support status for WordPress versions. The update focuses primarily on hardening WordPress against potential vulnerabilities by applying KSES filtering to various content types and improving security validation across multiple components. This release is part of WordPress's ongoing commitment to maintaining security for all supported versions.

Highlight of the Release

• Introduction of strings to indicate security support status for WordPress versions
• Multiple security enhancements across various WordPress components
• Improved KSES filtering applied to post-by-email content, trackbacks, and comments
• Enhanced validation for the WordPress host confirmation screen
• Security improvements for widgets and RSS error message handling

Migration Guide

No specific migration steps are required for this security release. Site administrators should update to WordPress 3.7.40 as soon as possible to ensure their sites benefit from these security enhancements.

The new strings introduced for indicating security support status do not affect current functionality and are being added in preparation for future use.

Upgrade Recommendations

It is strongly recommended that all WordPress 3.7.x sites be updated to version 3.7.40 immediately. This release contains important security fixes that help protect your site from potential vulnerabilities.

As this is a security release, it's advisable to update as soon as possible. The update process should be straightforward with no expected compatibility issues.

Bug Fixes

Security Fixes and Improvements

• Post-by-Email: Applied KSES filtering to post-by-email content to prevent potential security issues
• Post-by-Email: Removed email addresses from post-by-email logs to enhance privacy
• Host Validation: Improved validation on the "Are you sure?" confirmation screen
• Trackbacks/Pingbacks: Applied KSES filtering to all trackbacks to prevent potential XSS vulnerabilities
• Comments: Enhanced security by applying KSES filtering when editing comments
• PHPMailer: Reset PHPMailer properties between uses to prevent potential information leakage
• Widgets: Escaped RSS error messages for display to prevent potential XSS vulnerabilities

New Features

New Support Status Indicators

This release introduces new strings that will be used in future maintenance and security releases to indicate the security support status of WordPress versions:

• A string indicating when a WordPress version is no longer receiving security updates
• A string indicating when a WordPress version will shortly stop receiving security updates

These strings have been added to make them available to translators before they're actively used in future releases. This helps prepare users for upcoming changes in security support for their WordPress installations.

Security Updates

Security Enhancements

This release includes several important security fixes:

• Content Filtering: Applied KSES filtering to multiple content types including post-by-email content, trackbacks, and comments to prevent potential XSS attacks
• Privacy Protection: Removed email addresses from post-by-email logs to enhance user privacy
• Host Validation: Improved validation on the WordPress "Are you sure?" screen to prevent potential security issues
• Email Handling: Reset PHPMailer properties between uses to prevent potential information leakage between emails
• Widget Security: Escaped RSS error messages in widgets to prevent potential XSS vulnerabilities

These changes collectively strengthen WordPress's security posture by addressing potential vulnerabilities across multiple components.

Performance Improvements

No specific performance improvements were mentioned in this security-focused release. The changes primarily address security vulnerabilities and introduce new strings for future use in indicating security support status.

Impact Summary

WordPress 3.7.40 is primarily a security-focused release that addresses several potential vulnerabilities across different WordPress components. The most significant changes include enhanced KSES filtering for various content types (post-by-email, trackbacks, comments), improved host validation, and better handling of RSS error messages in widgets.

The release also introduces new strings to indicate security support status, which will be used in future releases to inform users when their WordPress version is approaching or has reached end-of-security-support. These strings are being added now to make them available for translation before they're actively used.

While this release doesn't introduce new features or performance improvements, it represents WordPress's ongoing commitment to maintaining security for all supported versions, including the older 3.7 branch. Site administrators should prioritize this update to ensure their sites remain protected against potential security threats.