WordPress Release: 3.9.22

TL;DR

WordPress 3.9.22: Security Hardening Update

This maintenance release focuses on security hardening measures and bug fixes for WordPress 3.9. It addresses several security vulnerabilities including proper escaping of language attributes, secure handling of enclosures in feeds, and restrictions on JavaScript file uploads. The update also fixes PHP notices related to AUTH_SALT and improves hash generation for better security.

Highlight of the Release

• Multiple security hardening measures implemented
• Fixed PHP notices related to AUTH_SALT configuration
• Improved escaping for language attributes and feed enclosures
• Restricted JavaScript file uploads for users without appropriate capabilities

Migration Guide

No migration steps are required for this update. This is a standard security and maintenance release that can be applied through the normal WordPress update process.

Upgrade Recommendations

Immediate upgrade strongly recommended for all WordPress 3.9 installations.

This release contains important security hardening measures that protect your WordPress site from potential vulnerabilities. Given the security-focused nature of this update, all users running WordPress 3.9 should update to version 3.9.22 as soon as possible.

For users on newer major versions of WordPress (4.0 and above), this update does not apply, as those versions already contain these security improvements and more.

Bug Fixes

• Fixed PHP notice that occurred when AUTH_SALT was undefined
• Added validation to check that AUTH_SALT is not empty
• Addressed issues #42431 and #42401 related to WPDB functionality
• Removed version number from the readme file (fixes #42386)

New Features

No new features were added in this release. WordPress 3.9.22 is primarily a security hardening and bug fix release for the 3.9 branch.

Security Updates

Security Hardening

• Improved Hash Generation: Replaced deterministic substring with properly generated hash for the newbloguser key, enhancing security against potential predictability attacks
• Enhanced HTML Language Attributes: Added proper escaping to language attributes used on html elements to prevent potential XSS vulnerabilities
• Secured Feed Enclosures: Implemented correct escaping for attributes of enclosures in RSS and Atom feeds to prevent potential injection attacks
• JavaScript Upload Restrictions: Removed the ability to upload JavaScript files for users who do not have the unfiltered_html capability, reducing the risk of malicious code execution
• AUTH_SALT Validation: Added checks to ensure AUTH_SALT is properly defined and not empty, strengthening authentication security

Performance Improvements

No specific performance improvements were included in this release. The focus was on security hardening and bug fixes.

Impact Summary

WordPress 3.9.22 is a security-focused maintenance release that addresses several potential vulnerabilities through improved escaping, validation, and access controls. The update strengthens security for language attributes in HTML, enclosures in feeds, and restricts JavaScript uploads for users without appropriate permissions. It also fixes PHP notices related to AUTH_SALT configuration.

While this release doesn't introduce new features or significant changes to functionality, it's an important update for maintaining the security posture of WordPress 3.9 installations. The security hardening measures implemented help protect sites from potential XSS attacks, injection vulnerabilities, and unauthorized code execution.

This release is particularly important for sites that, for various reasons, have not upgraded to newer major versions of WordPress and continue to run on the 3.9 branch.