WordPress Release: 3.8.28

TL;DR

WordPress 3.8.28 is a security and maintenance release that addresses several important security vulnerabilities and improves the platform's stability. This update focuses on enhancing security in media handling, KSES filtering, multisite activation, and post editing functionality.

What's new: Improved MIME file type verification, better KSES filtering for forms and URI attributes, enhanced multisite activation validation, and removal of unwanted fields during post saving.

Why it matters: These changes protect WordPress sites from potential security exploits and improve the overall user experience, particularly for multisite installations.

Who should care: All WordPress 3.8.x site administrators should update immediately to protect their sites from security vulnerabilities.

Highlight of the Release

• Enhanced security for media uploads with improved MIME file type verification
• Improved KSES filtering with conditional removal of the <form> element and DRY URI attributes
• Better multisite user experience with improved activation messaging and link validation
• Increased post editing security by removing unwanted fields before saving

Migration Guide

No specific migration steps are required for this update. This is a security and maintenance release that should be applied as soon as possible.

To update to WordPress 3.8.28:

1. Back up your WordPress files and database
2. Download the update from the WordPress dashboard or from wordpress.org
3. Follow the standard WordPress update procedure

No changes to themes or plugins should be necessary as a result of this update.

Upgrade Recommendations

Immediate Upgrade Recommended

All WordPress 3.8.x site administrators should upgrade to version 3.8.28 immediately. This release contains important security fixes that protect your site from potential vulnerabilities.

If you're running an older version of WordPress, consider updating to the latest major version for access to additional features and security improvements. However, if you must remain on the 3.8.x branch, this update is essential for maintaining site security.

Bug Fixes

Media File Type Verification

Fixed an issue with MIME file type verification to enhance security when uploading media files.

Multisite Activation Messaging

Resolved a bug where users who followed an activation link multiple times would see incorrect messaging. The system now ensures activation is not attempted multiple times and displays the appropriate message for previously activated users.

KSES Form Element Handling

Fixed a potential security issue by conditionally removing the <form> element from $allowedposttags. To maintain backward compatibility, the <form> element is re-added if a custom filter has added the <input> or <select> elements.

New Features

New KSES URI Attributes Function

A new wp_kses_uri_attributes function has been introduced to centralize the list of URI attributes in KSES filtering. This function helps prevent inconsistencies in attribute handling and includes a filter that allows plugins to customize the attributes list.

Improved Multisite Activation Process

The multisite activation process has been enhanced to provide clearer messaging for previously activated users and better validation of activation links.

Security Updates

Media Upload Security

Improved verification of MIME file types to prevent potential security vulnerabilities related to malicious file uploads.

KSES Filtering Enhancements

• Conditionally removed the <form> element from $allowedposttags to prevent potential security issues, while maintaining backward compatibility
• Made URI attributes handling more consistent with the introduction of the wp_kses_uri_attributes function

Multisite Activation Security

Enhanced validation of activation links in multisite installations to prevent potential security issues.

Post Editing Security

Removed unwanted fields (meta_input, file, and guid) before saving posts, as these fields are not intended to be updated through user input and could potentially be exploited.

Performance Improvements

No specific performance improvements were mentioned in this release. The changes focus primarily on security enhancements and bug fixes.

Impact Summary

WordPress 3.8.28 is primarily a security-focused release that addresses several potential vulnerabilities in the core platform. The update improves security in four key areas:

1. Media handling: Enhanced verification of MIME file types to prevent malicious file uploads
2. KSES filtering: Improved handling of form elements and URI attributes to prevent potential XSS vulnerabilities
3. Multisite activation: Better validation of activation links and improved user messaging
4. Post editing: Removal of fields that shouldn't be updated through user input

These changes significantly improve the security posture of WordPress 3.8.x installations without introducing breaking changes. The release maintains backward compatibility while addressing important security concerns.

For multisite administrators, the improved activation process provides a better user experience with clearer messaging and enhanced security. Developers will benefit from more consistent KSES filtering behavior and the new filter for customizing URI attributes.

Overall, this release represents an important maintenance update that all WordPress 3.8.x users should apply promptly.