WordPress Release: 3.8.31

TL;DR

WordPress 3.8.31 focuses on security hardening with multiple critical fixes across core components. This maintenance release addresses several vulnerabilities including path traversal issues, HTTP API protections, and REST API security improvements. All WordPress 3.8 users should update immediately to protect their sites.

Highlight of the Release

• Multiple security fixes addressing vulnerabilities in core WordPress components
• Protection against directory traversal attacks in the Filesystem API
• Enhanced HTTP API security to prevent hex interpretation exploits
• Improved admin referer nonce validation
• Added REST API security improvements with Vary: Origin header on GET requests
• Better sanitization of background images in the Customizer

Migration Guide

No specific migration steps are required for this update. This is a security release that should be applied immediately without any expected compatibility issues.

Upgrade Recommendations

Immediate Update Recommended

This release contains several important security fixes. All WordPress 3.8 users should update to version 3.8.31 immediately to protect their sites from potential security vulnerabilities.

For sites on managed WordPress hosting, the update may be applied automatically. For self-hosted sites, administrators should update through the WordPress dashboard or via their preferred update method as soon as possible.

Bug Fixes

Core Bug Fixes

• Query: Removed the static query property which could cause unexpected behavior
• HTTP API: Added protection against hex interpretation vulnerabilities
• Filesystem API: Implemented safeguards to prevent directory traversals when creating new folders
• Administration: Enhanced validation to ensure admin referer nonces are valid
• REST API: Added Vary: Origin header on GET requests for improved security
• Customizer: Improved sanitization of background images

New Features

Developer Experience Improvements

• Added .nvmrc files to older versions of WordPress to help developers use the correct Node.js version when switching between branches

Security Updates

Security Enhancements

• Filesystem API: Fixed a vulnerability that could allow directory traversal attacks when creating new folders
• HTTP API: Added protection against hex interpretation exploits that could potentially be used for server-side request forgery
• Administration: Strengthened admin referer nonce validation to prevent potential CSRF attacks
• REST API: Implemented Vary: Origin header on GET requests to improve cross-origin security
• Customizer: Enhanced sanitization of background images to prevent potential XSS vulnerabilities

Performance Improvements

No specific performance improvements were mentioned in this release.

Impact Summary

WordPress 3.8.31 is primarily a security release that addresses multiple vulnerabilities across core WordPress components. The fixes focus on hardening the WordPress core against potential exploits including directory traversal attacks, HTTP API vulnerabilities, and improving REST API security.

The security improvements in this release are significant as they protect against several potential attack vectors. Site administrators should prioritize this update to ensure their WordPress installations remain secure.

For developers, the removal of the static query property may require attention if any custom code relied on this functionality. Additionally, the improvements to the HTTP API and Filesystem API provide better protection but may affect code that interacts with these components in non-standard ways.

This release also includes a developer experience improvement with the addition of .nvmrc files to help maintain the correct Node.js version when working with older WordPress branches.