WordPress Release: 3.9.26

TL;DR

WordPress 3.9.26 is a security and maintenance release that addresses several important security vulnerabilities and improves the platform's stability. This update focuses on enhancing MIME file type verification, improving multisite activation processes, and fixing potential security issues with KSES filtering. The release also removes the ability to update certain sensitive fields through user input, preventing potential security exploits.

This update is critical for all WordPress 3.9.x installations to maintain security and ensure proper functionality of media handling, user activation in multisite environments, and content filtering.

Highlight of the Release

• Improved security for media uploads with enhanced MIME file type verification
• Better multisite user activation with improved messaging and validation
• Enhanced KSES filtering with DRY implementation of URI attributes
• Removed ability to update sensitive fields through user input
• Conditional removal of the <form> element from allowed post tags

Migration Guide

This is a security and maintenance release that doesn't require specific migration steps. Simply update to WordPress 3.9.26 using the standard WordPress update process:

1. Back up your WordPress site (files and database)
2. Navigate to Dashboard > Updates
3. Click "Update Now"

Alternatively, you can download the update from WordPress.org and perform a manual update.

No database schema changes or special configuration adjustments are required for this update.

Upgrade Recommendations

Priority: Critical

All WordPress sites running version 3.9.x should upgrade to 3.9.26 immediately. This release contains important security fixes that protect your site from potential vulnerabilities.

If you're running an older version of WordPress (3.9.x), updating to 3.9.26 is strongly recommended to ensure your site remains secure. However, for optimal security and features, consider upgrading to the latest major WordPress version if your site's themes and plugins are compatible.

This update is backward compatible with all 3.9.x installations and should not cause any issues with existing functionality.

Bug Fixes

• Multisite Activation Issues: Fixed issues where users could attempt to activate a site multiple times, now ensuring proper messaging when following activation links more than once.

• KSES Filtering Consistency: Addressed inconsistencies in KSES filtering by making the URI attributes implementation DRY (Don't Repeat Yourself).

• Form Element Handling: Conditionally removes the <form> element from $allowedposttags while maintaining backward compatibility by re-adding it if custom filters have added <input> or <select> elements.

New Features

and Enhancements

• KSES URI Attributes Management: Added new wp_kses_uri_attributes function and filter to centralize the list of URI attributes, preventing inconsistency and allowing plugins to customize these attributes.

• Improved Multisite Activation: Enhanced the user experience for multisite activations with better messaging for previously activated users and improved validation of activation links.

Security Updates

• Media Upload Security: Enhanced verification of MIME file types to prevent potential security vulnerabilities related to file uploads.

• Post Editor Security: Removed the ability to update sensitive fields (meta_input, file, and guid) through user input in the post editor, preventing potential security exploits.

• KSES Filtering: Improved HTML filtering by conditionally removing the <form> element from allowed post tags and implementing a more consistent approach to URI attributes.

• Multisite Activation: Added validation for activation links in multisite environments to prevent potential security issues.

Performance Improvements

• KSES Filtering: Improved the efficiency of KSES filtering by centralizing URI attributes handling, reducing code duplication and potential inconsistencies.

• Multisite Activation Process: Streamlined the multisite activation process to prevent unnecessary repeated activation attempts.

Impact Summary

WordPress 3.9.26 is primarily a security-focused maintenance release that addresses several important vulnerabilities and improves system stability. The update enhances security in three key areas: media handling, content filtering, and multisite user activation.

The improved MIME file type verification strengthens protection against potentially malicious file uploads. The KSES filtering enhancements provide better consistency and security when handling HTML content, particularly with URI attributes and form elements. For multisite installations, the improved activation process prevents confusion and potential security issues with activation links.

This release also removes the ability to update sensitive fields through user input in the post editor, closing a potential security vector. While these changes are primarily under-the-hood improvements, they significantly enhance the security posture of WordPress 3.9.x installations without impacting normal site functionality.

Site administrators should prioritize this update to ensure their WordPress installations remain secure against known vulnerabilities.