WordPress Release: 3.8.32

TL;DR

WordPress 3.8.32 is a security-focused maintenance release that patches a vulnerability in the wp_kses_bad_protocol() function. This update prevents attackers from bypassing security protocols by using the HTML5 named entity : in URI attributes. This is a critical security fix that all WordPress 3.8 users should apply immediately to protect their sites from potential XSS attacks.

Highlight of the Release

• Fixed a security vulnerability in wp_kses_bad_protocol() that could allow bypassing security checks
• Patched handling of HTML5 named entity : in URI attributes
• Backported security fix from newer WordPress versions to the 3.8 branch

Migration Guide

No migration steps are required for this update. This is a direct security patch that doesn't change any APIs or user-facing functionality. Simply update to WordPress 3.8.32 to apply the security fix.

Upgrade Recommendations

Immediate Upgrade Recommended

All users running WordPress 3.8 are strongly recommended to update immediately to version 3.8.32. This release contains a critical security fix that addresses a vulnerability in the wp_kses_bad_protocol() function.

The security issue could potentially allow attackers to bypass security validations when using HTML5 named entities in URI attributes, which could lead to cross-site scripting (XSS) attacks.

While WordPress 3.8 is an older version of WordPress and no longer receives regular updates, this security patch has been backported specifically to address this vulnerability. However, for maximum security and feature support, users should consider upgrading to the latest supported version of WordPress.

Bug Fixes

Security Bug Fix

Fixed a vulnerability in wp_kses_bad_protocol() where the function failed to properly recognize and handle the HTML5 named entity : in URI attributes. This could potentially allow malicious actors to bypass security validations and inject unauthorized protocols into URI attributes, potentially leading to cross-site scripting (XSS) attacks.

The fix ensures that the : HTML5 named entity is properly recognized and handled when validating URI attributes, closing this security loophole.

New Features

No new features were added in this release. WordPress 3.8.32 is strictly a security maintenance release focused on patching a vulnerability in the wp_kses_bad_protocol() function.

Security Updates

Critical Security Fix

This release patches a significant security vulnerability in the wp_kses_bad_protocol() function that could allow attackers to bypass security validations when using the HTML5 named entity : in URI attributes.

The wp_kses_bad_protocol() function is responsible for validating that URI attributes don't contain invalid or disallowed protocols. However, prior to this fix, the function did not properly recognize when the colon HTML5 named entity (:) was used, which could allow attackers to bypass these security checks.

This vulnerability could potentially be exploited to perform cross-site scripting (XSS) attacks by injecting malicious code through URI attributes that should have been sanitized.

Props to xknown, nickdaugherty, and peterwilsoncc for identifying and fixing this security issue.

Performance Improvements

No specific performance improvements were included in this release. WordPress 3.8.32 focuses exclusively on addressing the security vulnerability in the wp_kses_bad_protocol() function.

Impact Summary

WordPress 3.8.32 addresses a critical security vulnerability that could allow attackers to bypass security validations in the wp_kses_bad_protocol() function by using the HTML5 named entity : in URI attributes. This could potentially lead to cross-site scripting (XSS) attacks.

The fix ensures that the wp_kses_bad_protocol() function properly recognizes and handles the : HTML5 named entity when validating URI attributes, closing this security loophole.

This is a targeted security release with minimal code changes (45 additions, 3 deletions across 5 files) focused exclusively on addressing this specific vulnerability. The update has been backported from newer WordPress versions to ensure that even users on the older 3.8 branch are protected from this security issue.

While this update doesn't introduce any new features or change existing functionality, it's critical for maintaining the security integrity of WordPress installations running version 3.8.