HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

WordPress

>

Releases

>

3.9.28

WordPress Release: 3.9.28

Tag Name: 3.9.28

Release Date: 9/4/2019

View Release
WordPress LogoWordPress

World's most popular open-source content management system powering over 40% of all websites. Offers extensive plugin ecosystem, themes, and robust community support for blogs, e-commerce, and corporate websites. Highly customizable and scalable platform suitable for beginners and advanced developers.

Open SourceBloggingWebsite Builder

TL;DR

WordPress 3.9.28 focuses on security enhancements with multiple fixes for URL handling and sanitization. This maintenance release addresses several potential vulnerabilities related to URL validation, content processing, and attachment uploads, making it an important security update for all WordPress 3.9 installations.

Highlight of the Release

    • Improved URL validation in wp_validate_redirect()
    • Enhanced security for attachment uploads in wp_ajax_upload_attachment()
    • Fixed URL sanitization in wp_kses_bad_protocol_once()
    • Removed potentially vulnerable function from content processing

Migration Guide

No specific migration steps are required for this update. This is a direct update that addresses security vulnerabilities without changing APIs or functionality.

To update to WordPress 3.9.28:

  1. Back up your WordPress site (files and database)
  2. Update through the WordPress admin dashboard or download the update and install it manually
  3. Verify your site is functioning correctly after the update

No changes to themes, plugins, or custom code should be necessary as a result of this update.

Upgrade Recommendations

Immediate Upgrade Recommended

This release contains important security fixes that address multiple potential vulnerabilities in WordPress 3.9. All users running WordPress 3.9.x are strongly encouraged to update to version 3.9.28 immediately.

While WordPress 3.9 is no longer officially supported (current version is much higher), if you are still running a 3.9.x site, this update is critical to maintain basic security protections. However, for optimal security and functionality, upgrading to the latest major WordPress version is highly recommended.

The security improvements in this release help protect sites from:

  • Potential XSS vulnerabilities
  • URL validation issues
  • Content processing vulnerabilities
  • Attachment upload security concerns

Bug Fixes

Security-Related Bug Fixes

  • Removed _convert_urlencoded_to_entities() from the get_the_content() callback to prevent potential security issues with content processing.
  • Fixed URL sanitization in wp_kses_bad_protocol_once() to better handle potentially malicious URLs.
  • Improved URL validation in wp_validate_redirect() to prevent potential redirect vulnerabilities.
  • Added proper output escaping in wp_ajax_upload_attachment() to prevent potential XSS vulnerabilities.

New Features

No new features were added in this release. WordPress 3.9.28 is a security maintenance release focused on addressing vulnerabilities and improving existing functionality.

Security Updates

Security Enhancements

  • URL Validation: Improved the URL validation mechanism in wp_validate_redirect() to better protect against malicious redirects.
  • Content Processing: Removed the potentially vulnerable _convert_urlencoded_to_entities() function from the get_the_content() callback to prevent security issues with content processing.
  • Attachment Uploads: Added proper output escaping in wp_ajax_upload_attachment() to prevent potential XSS vulnerabilities during file uploads.
  • URL Sanitization: Fixed URL sanitization in wp_kses_bad_protocol_once() to better handle and filter potentially malicious URLs.

These security fixes address multiple potential vulnerabilities that could be exploited by malicious actors.

Performance Improvements

No specific performance improvements were included in this release. The changes were primarily focused on security enhancements.

Impact Summary

WordPress 3.9.28 is a security-focused maintenance release that addresses several potential vulnerabilities related to URL handling, content processing, and attachment uploads. While it doesn't introduce new features or change existing functionality, it significantly improves the security posture of WordPress 3.9 installations.

The primary impact is enhanced security through improved URL validation, better sanitization of user inputs, and removal of potentially vulnerable code paths. Site administrators should update immediately to protect their sites from potential security exploits.

For developers who have extended WordPress core functionality related to URL handling or attachment uploads, reviewing these changes may be beneficial, though no API changes should affect existing code.

This release represents ongoing maintenance for the 3.9 branch, though users should be aware that WordPress 3.9 is no longer officially supported and upgrading to a current WordPress version is recommended for optimal security and functionality.

Statistics:

File Changed14
Line Additions54
Line Deletions107
Line Changes161
Total Commits6

User Affected:

  • Need to update their WordPress installations to address security vulnerabilities
  • Benefit from improved URL validation and sanitization
  • Reduced risk of potential security exploits targeting their sites

Contributors:

whyisjakeSergeyBiryukovdesrosj