WordPress Release: 3.9.12

TL;DR

WordPress 3.9.12 is a security and maintenance release that addresses several important security vulnerabilities and bug fixes. This update improves security by enhancing input validation, fixing improper escaping, and updating external libraries. It also improves multisite functionality and ensures taxonomy functions work correctly with special characters.

This release is important for all WordPress site owners as it patches security vulnerabilities that could potentially be exploited. Site administrators should update immediately to protect their websites from potential security threats.

Highlight of the Release

• Security improvements in shell command argument handling
• Enhanced email validation for multisite installations
• Improved IP address detection in HTTP requests
• Better escaping in multisite network settings
• Fixed taxonomy functions to properly handle special characters
• Updated plupload external library

Migration Guide

No specific migration steps are required for this update. WordPress 3.9.12 is a maintenance and security release that should not affect existing functionality or require changes to themes or plugins.

To update:

1. Back up your WordPress files and database
2. Update through the WordPress admin dashboard or download the update and install it manually
3. No additional configuration changes are needed after updating

Upgrade Recommendations

Priority: High

All WordPress site owners running version 3.9.x should update to version 3.9.12 immediately. This release contains important security fixes that address vulnerabilities that could potentially be exploited.

If you're running an older version of WordPress (pre-3.9), you should consider upgrading to the latest supported version of WordPress for maximum security and feature improvements.

For sites using automatic background updates, WordPress may have already updated to version 3.9.12. However, it's recommended to verify your current version in the WordPress dashboard under "At a Glance" or at the bottom of any admin page.

Bug Fixes

• Taxonomy Handling: Fixed issues with taxonomy functions when working with taxonomy names containing special characters. While the WordPress Codex recommends using only lowercase letters and underscores for taxonomy names, this wasn't enforced, leading to problems when plugins used special characters in taxonomy names.

• HTTP Request Handling: Improved the detection and validation of IP addresses in HTTP requests, preventing potential issues with malformed or invalid IP addresses.

• Shell Command Handling: Updated Snoopy to use escapeshellarg() instead of escapeshellcmd() for proper escaping of shell arguments, providing more semantically correct and secure handling of command arguments.

New Features

No significant new features were introduced in this maintenance release. WordPress 3.9.12 focuses primarily on security enhancements and bug fixes to improve the stability and security of existing functionality.

Security Updates

• Shell Command Security: Improved security in the Snoopy library by using escapeshellarg() instead of escapeshellcmd() for proper escaping of shell arguments, reducing the risk of command injection attacks.

• Multisite Email Validation: Enhanced validation of new email address confirmations in multisite installations, preventing potential security issues related to email verification.

• IP Address Validation: Improved detection and validation of IP addresses in HTTP requests, helping to prevent potential security vulnerabilities related to IP spoofing or malformed requests.

• Network Settings Escaping: Enhanced escaping in multisite network settings to prevent potential XSS (Cross-Site Scripting) vulnerabilities.

• External Libraries: Updated plupload from upstream to address potential security vulnerabilities in the file upload library.

Performance Improvements

No specific performance improvements were highlighted in this release. The changes focus primarily on security enhancements and bug fixes rather than performance optimizations.

Impact Summary

WordPress 3.9.12 is primarily a security-focused maintenance release that addresses several important vulnerabilities and bugs. The impact is largely positive, enhancing the security posture of WordPress installations without introducing breaking changes.

The security improvements focus on proper input validation, escaping, and library updates. These changes help protect sites from potential security threats including command injection, cross-site scripting, and other common web vulnerabilities.

For multisite installations, this update is particularly important as it improves email validation and network settings security. Developers will benefit from the fix for taxonomy functions with special characters, which resolves compatibility issues with certain plugins.

Overall, this update represents an important maintenance release that all WordPress 3.9.x users should apply promptly to maintain the security and stability of their websites.