WordPress Release: 3.8.35

TL;DR

WordPress 3.8.35 Release

This maintenance release focuses on security enhancements and bug fixes for WordPress 3.8. It addresses several security vulnerabilities including XML-RPC improvements, deserialization protection, and access control issues. The update also improves error handling, fixes screen option filters, and enhances backward compatibility. This release is important for all WordPress 3.8 installations to maintain security and stability.

Highlight of the Release

• Enhanced security for XML-RPC functionality with improved error messages
• Disabled deserialization in Requests_Utility_FilteredIterator to prevent potential vulnerabilities
• Added backward compatibility for screen option filters
• Improved access control for theme background image settings

Migration Guide

This is a maintenance and security release that doesn't require any specific migration steps. Simply update to WordPress 3.8.35 through your WordPress dashboard or by downloading the update from wordpress.org.

If you're a developer who has implemented custom code using the set-screen-option filter, be aware that there's now an additional set_screen_option_{$option} filter that provides more granular control. Your existing code should continue to work as expected due to the backward compatibility measures implemented in this release.

Upgrade Recommendations

Immediate upgrade recommended for all WordPress 3.8 installations.

This release contains important security fixes that address multiple vulnerabilities. All WordPress 3.8 sites should be updated immediately to version 3.8.35 to ensure protection against potential security threats.

While WordPress 3.8 is no longer receiving regular feature updates, security updates like this one are critical for maintaining site security. However, for the best experience and ongoing support, consider upgrading to the latest major version of WordPress when possible.

Bug Fixes

• Screen Options: Fixed issues with the set-screen-option filter by ensuring results are properly passed to the new set_screen_option_{$option} filter for backward compatibility.
• XML-RPC: Improved error handling when attachment IDs are incorrect, providing clearer feedback.
• Installation Status: Enhanced logic checks when determining WordPress installation status to prevent potential issues.
• Meta Protection: Fixed meta key handling by ensuring proper sanitization before checking protection status.
• Theme Background: Resolved a security issue where non-privileged users could potentially set background images when a theme uses the deprecated custom background page.

New Features

New Filter for Screen Options

Added a new set_screen_option_{$option} filter to ensure backward compatibility when handling screen options. This provides developers with more granular control over specific screen options while maintaining compatibility with existing code that uses the general set-screen-option filter.

Security Updates

• XML-RPC Security: Improved error messages for unprivileged users to prevent information disclosure and enhanced error handling for incorrect attachment IDs.
• Deserialization Protection: Disabled deserialization in Requests_Utility_FilteredIterator to prevent potential object injection vulnerabilities.
• Embed Security: Disabled embeds on deactivated Multisite sites to prevent potential misuse.
• Escaping Functions: Modified escaping functions to avoid potential false positives that could lead to security issues.
• Meta Protection: Enhanced sanitization of meta keys before checking protection status to prevent unauthorized access.
• Theme Background: Improved access control to ensure only privileged users can set background images when themes use deprecated custom background functionality.

Performance Improvements

No specific performance improvements were included in this release. The focus was primarily on security enhancements and bug fixes.

Impact Summary

WordPress 3.8.35 is primarily a security-focused maintenance release that addresses several vulnerabilities and improves the overall security posture of WordPress 3.8 installations. The update includes fixes for XML-RPC functionality, deserialization protection, and access control improvements.

For administrators and site owners, this update provides essential security enhancements without requiring any workflow changes. Developers will benefit from improved filter naming and additional hooks for screen options, enhancing both clarity and extensibility.

The security improvements in this release are particularly important for sites that use XML-RPC functionality, multisite installations, and sites using themes with custom background functionality. By addressing these vulnerabilities, WordPress 3.8.35 helps protect sites from potential attacks and unauthorized access.

While WordPress 3.8 is an older version that doesn't receive feature updates, this security maintenance release demonstrates WordPress's commitment to supporting older versions with critical security fixes. However, users are encouraged to consider upgrading to a more recent WordPress version for access to new features, performance improvements, and ongoing support.