WordPress Release: 3.7.5

TL;DR

WordPress 3.7.5 is a security and maintenance release that addresses several important security vulnerabilities and bug fixes. This update focuses on improving password reset functionality, enhancing security validation across various components, and fixing performance issues with text processing. The release includes critical security patches that protect against potential exploits in password handling, image processing, and HTTP requests.

Highlight of the Release

• Enhanced password reset security with proper URL handling and form validation
• Improved security for password hashing and comparison
• Fixed resource usage issues when processing large passwords
• Better validation for image data and HTTP requests
• Performance improvements for text processing with shortcodes

Migration Guide

No specific migration steps are required for this update. WordPress 3.7.5 is a maintenance and security release that should be applied as soon as possible to ensure your site remains secure.

To update:

1. Back up your website files and database
2. Update through the WordPress admin dashboard or download the update from wordpress.org
3. Apply the update following standard WordPress update procedures

Upgrade Recommendations

This release contains several important security fixes that address vulnerabilities in password handling, image processing, and HTTP request validation. Immediate upgrade is strongly recommended for all WordPress 3.7.x installations to protect your site from potential security exploits.

The security improvements in this release are critical for maintaining the integrity and security of your WordPress installation. As this is primarily a security release, there should be minimal risk of compatibility issues with existing themes and plugins.

Bug Fixes

• Fixed password reset functionality to use network_site_url() for form actions, ensuring proper URL handling
• Corrected a typo in style filter that could affect theme styling
• Fixed Press This tool to properly display error messages when they occur
• Improved validation for password reset forms to prevent potential issues
• Fixed an issue where password reset keys weren't being invalidated when a user's email address changed
• Improved regex efficiency in the texturize function by anchoring to shortcodes, addressing potential segfault issues (#29557)

New Features

No significant new features were added in this maintenance release. WordPress 3.7.5 focuses primarily on security enhancements and bug fixes to the existing functionality.

Security Updates

• Implemented hash_equals() for comparing old MD5 hashes to prevent timing attacks
• Added better validation of URLs used in core HTTP requests to prevent potential security issues
• Enhanced image data validation to protect against malicious uploads or processing
• Improved password reset security with proper form validation and URL handling
• Added protection against high resource usage when hashing large passwords to prevent denial of service attacks
• Implemented automatic invalidation of password keys when a user's email address changes to prevent unauthorized access

Performance Improvements

• Enhanced regex efficiency in the texturize function by anchoring to shortcodes, which helps prevent potential segfault issues and improves processing speed
• Implemented measures to prevent high resource usage when hashing large passwords, protecting against potential denial of service attacks
• Optimized validation processes for HTTP requests and image data to reduce unnecessary processing

Impact Summary

WordPress 3.7.5 is a security-focused maintenance release that addresses several important vulnerabilities and bugs. The most significant changes involve improved password security, including better handling of password resets, proper validation of forms, and protection against resource exhaustion attacks when processing large passwords.

The release also enhances security in other areas, such as image data validation and HTTP request handling. Performance improvements include optimized text processing with shortcodes to prevent potential segfault issues.

This update is particularly important for site administrators as it patches several security vulnerabilities that could potentially be exploited. While the changes are primarily under-the-hood and won't affect the day-to-day user experience, they significantly improve the security posture of WordPress installations.

All WordPress 3.7.x users should update to version 3.7.5 as soon as possible to ensure their sites remain secure against the vulnerabilities addressed in this release.