WordPress Release: 3.9.24

TL;DR

WordPress 3.9.24 brings important security and maintenance updates to the 3.9 branch

This maintenance release addresses security vulnerabilities by implementing safer redirects during login and proper escaping of version strings in templates. It also updates the copyright year in license files. While this is a minor update in terms of changes, it's important for sites still running WordPress 3.9 to upgrade for improved security.

Highlight of the Release

• Enhanced login security with wp_safe_redirect() for HTTPS redirects
• Fixed template vulnerability by properly escaping version strings
• Updated copyright year to 2018 in license.txt

Migration Guide

No specific migration steps are required for this update. This is a maintenance release that can be applied through the standard WordPress update process.

For sites still running WordPress 3.9, it's recommended to update to this version immediately to benefit from the security improvements, though considering an upgrade to a more recent major version of WordPress would provide additional security and feature benefits.

Upgrade Recommendations

This update is highly recommended for all sites still running WordPress 3.9, as it includes important security fixes.

However, it's important to note that WordPress 3.9 is an older branch that is no longer receiving regular updates. For optimal security and functionality, sites should consider upgrading to the latest WordPress version when possible.

Upgrade Priority: High (for sites on WordPress 3.9) Compatibility: This update should be compatible with all existing plugins and themes that work with WordPress 3.9

Bug Fixes

• Fixed issue #43007 related to copyright information in license files
• Addressed security vulnerability in login redirects when HTTPS is enforced
• Fixed potential XSS vulnerability by ensuring version strings are properly escaped in templates

New Features

No significant new features were added in this maintenance release. WordPress 3.9.24 focuses on security enhancements and bug fixes for the 3.9 branch.

Security Updates

Security Enhancements

• Login Redirect Security: Implemented wp_safe_redirect() when redirecting the login page if forced to use HTTPS, preventing potential redirect vulnerabilities
• Template Security: Fixed a potential XSS vulnerability by ensuring version strings are properly escaped for use in HTML attributes

These security enhancements help protect WordPress sites from potential attacks that could exploit unprotected redirects or unescaped output in templates.

Performance Improvements

No specific performance improvements were included in this maintenance release. The focus was primarily on security enhancements and bug fixes.

Impact Summary

WordPress 3.9.24 is a targeted security and maintenance release that addresses specific vulnerabilities in the login process and template rendering. While the changes are minimal (30 changes across 6 files), they significantly improve the security posture of sites running WordPress 3.9.

The security improvements focus on preventing potential redirect attacks during login processes and cross-site scripting (XSS) vulnerabilities in templates. These changes help protect WordPress sites from common attack vectors without introducing any breaking changes or requiring modifications to existing configurations.

For the WordPress ecosystem, this release demonstrates the ongoing commitment to maintaining security even for older branches, though users should be aware that the 3.9 branch is significantly outdated compared to current WordPress versions.