WordPress Release: 3.7.6

TL;DR

WordPress 3.7.6 is a security and maintenance release that addresses several important security vulnerabilities and improves database query handling. This update focuses on preventing SQL injection attacks through improved query sanitization, fixing multisite security issues, and ensuring proper escaping of post titles on the dashboard. The release also includes PHPUnit test fixes and cleanup of legacy TinyMCE code.

Highlight of the Release

• Enhanced security against SQL injection attacks through improved query sanitization
• Fixed multisite security issue preventing plugins from unintentionally switching sites
• Improved escaping of post titles on the Dashboard
• Optimized database query handling with better sanity checks

Migration Guide

No specific migration steps are required for this update. WordPress 3.7.6 is a maintenance and security release that should be applied as a standard update.

To update:

1. Back up your website files and database
2. Update through the WordPress admin dashboard or download the update from wordpress.org
3. Verify your site functionality after the update is complete

No changes to themes or plugins should be necessary as a result of this update.

Upgrade Recommendations

This update is highly recommended for all WordPress 3.7.x users due to the security fixes included. The release addresses several security vulnerabilities, including potential SQL injection issues and multisite security concerns.

Given the security nature of this release, all WordPress 3.7.x sites should be updated to version 3.7.6 as soon as possible to ensure protection against the addressed vulnerabilities.

For users on older versions of WordPress, this update reinforces the importance of staying on a supported branch with regular security updates.

Bug Fixes

• Fixed PHPUnit test issues to ensure proper test functionality
• Addressed edge cases in sanitize_sql_orderby() function for more robust query handling
• Fixed security issue with post titles not being correctly escaped on the Dashboard
• Resolved an issue in multisite installations where plugins could unintentionally switch sites
• Improved database query sanity checking with optimized early returns when possible
• Removed outdated backwards compatibility code from TinyMCE editor

New Features

No significant new features were added in this maintenance release. WordPress 3.7.6 focuses primarily on security enhancements and bug fixes to improve the stability and security of existing functionality.

Security Updates

• Implemented query sanity checks to prevent SQL injection vulnerabilities
• Enhanced sanitize_sql_orderby() function to handle edge cases that could potentially be exploited
• Fixed security issue in multisite installations by preventing plugins from unintentionally switching sites
• Improved escaping of post titles on the Dashboard to prevent potential XSS attacks
• Enhanced database query handling with better collation-based sanity checking

Performance Improvements

• Optimized database query handling with improved sanity checking logic
• Enhanced query performance by implementing early returns when additional checks aren't needed
• Removed legacy TinyMCE compatibility code, reducing unnecessary processing

Impact Summary

WordPress 3.7.6 significantly improves the security posture of WordPress 3.7.x installations by addressing multiple security vulnerabilities. The primary focus is on preventing SQL injection attacks through enhanced query sanitization and handling.

The update addresses security concerns in multisite installations by preventing plugins from unintentionally switching sites, which could potentially lead to security issues. It also fixes improper escaping of post titles on the Dashboard, closing a potential XSS vulnerability.

Performance improvements come from optimized database query handling with better sanity checks and early returns when additional processing isn't needed. The removal of legacy TinyMCE compatibility code also helps streamline the codebase.

This maintenance release is particularly important for sites still running WordPress 3.7.x, as it provides critical security fixes while maintaining compatibility with existing themes and plugins.