WordPress Release: 3.9.20

TL;DR

WordPress 3.9.20 is a security-focused maintenance release that addresses several important vulnerabilities. This update includes multiple security hardening measures for the database API, editor, filesystem, and admin interfaces. It prevents malicious URL injection, improves input validation, and enhances protection against potential exploits. All WordPress 3.9 users should update immediately to protect their sites from these security issues.

Highlight of the Release

• Security hardening for wpdb::prepare() to prevent SQL injection vulnerabilities
• Prevention of javascript: and data: URLs in the inline link dialog
• Improved URL encoding and validation throughout the admin interface
• Enhanced file path validation in the unzip functionality
• Better handling of HTTP referrers for user operations

Migration Guide

No specific migration steps are required for this update. This is a direct security update that should be applied immediately without any expected compatibility issues.

Upgrade Recommendations

This release contains important security fixes. All WordPress 3.9 users should update immediately to protect their sites from potential security vulnerabilities.

If you're running an older version of WordPress, consider updating to the latest supported version (WordPress 5.x) for improved security, features, and performance.

Bug Fixes

Security and Bug Fixes

• Editor: Prevented adding potentially malicious javascript: and data: URLs through the inline link dialog
• Users: Added fallback mechanism for incorrect HTTP referrers to improve reliability
• Admin Interface: Improved URL-encoding and added extra hardening to plugin and template names when displayed in admin areas
• Filesystem API: Enhanced validation of filenames before unzipping to prevent issues with malformed file paths
• Database:
  • Fixed handling of null values in wpdb::prepare() to prevent unnecessary warnings
  • Improved escaping of percent signs in query strings
  • Added proper URL escaping for user-related functions

New Features

No significant new features were added in this release as it focuses primarily on security improvements and bug fixes.

Security Updates

Security Enhancements

• Database Hardening: Multiple improvements to wpdb::prepare() to prevent SQL injection:
  • Enforced proper handling of placeholders (%s, %d, and %F) in query strings
  • Prevented additional values from being processed when arrays are passed
  • Improved escaping of percent signs in query strings
• URL Validation:
  • Blocked potentially malicious javascript: and data: URLs in the editor's inline link dialog
  • Implemented proper URL escaping in user management functions
• Admin Interface Protection:
  • Added URL-encoding and extra hardening to plugin and template names in admin displays
  • Improved validation of user inputs throughout the admin interface
• Filesystem Security:
  • Enhanced validation of filenames before unzipping to prevent directory traversal attacks
  • Added checks to ensure malformed file paths don't cause security issues

Performance Improvements

This release does not include any specific performance improvements as it is primarily focused on security enhancements.

Impact Summary

WordPress 3.9.20 is a critical security release that addresses multiple vulnerabilities that could potentially be exploited by malicious actors. The update focuses on hardening the database API, particularly the wpdb::prepare() function, to prevent SQL injection attacks. It also improves URL validation in the editor and admin interfaces, enhances filesystem security, and fixes issues with HTTP referrer handling.

The changes to wpdb::prepare() bring its behavior in line with documentation, which may affect developers who were relying on undocumented behavior. However, these changes are necessary to ensure proper security of WordPress installations.

This update is part of WordPress's ongoing commitment to security and should be applied immediately to all WordPress 3.9 installations. While WordPress 3.9 is no longer officially supported (current version is 5.x), this security release demonstrates WordPress's dedication to protecting users on legacy versions.