WordPress Release: 3.9.33

TL;DR

WordPress 3.9.33 is a security and maintenance release that addresses several important security vulnerabilities and improves error handling across multiple components. This update focuses on enhancing security for XML-RPC functionality, fixing deserialization issues in external libraries, improving error messages, and ensuring proper privilege checks throughout the system. The release also includes backward compatibility improvements for screen options in the admin area.

Highlight of the Release

• Multiple security enhancements for XML-RPC functionality
• Fixed deserialization vulnerability in external libraries
• Improved backward compatibility for screen options in admin area
• Enhanced error messages for better user experience
• Better security for theme background image settings

Migration Guide

No specific migration steps are required for this update. This is a security and maintenance release that should be applied as soon as possible to ensure your WordPress installation remains secure.

Upgrade Recommendations

Immediate Upgrade Recommended

This release contains important security fixes. All WordPress site owners should upgrade to version 3.9.33 immediately to protect their sites from potential security vulnerabilities.

The update process should be straightforward with no expected compatibility issues. As always, it's recommended to back up your site before performing any update.

Bug Fixes

Administration

• Fixed backward compatibility issues with screen options by passing the result of set-screen-option filter to the new set_screen_option_{$option} filter
• Renamed the $keep parameter to $screen_option in both filters for better clarity
• Updated documentation to better reflect the purpose of these parameters

XML-RPC

• Improved error messages for users with insufficient privileges
• Fixed issue where incorrect attachment IDs would not return proper error messages

Installation and Upgrades

• Enhanced logic check when determining installation status to prevent potential issues

Meta

• Fixed sanitization of meta keys before checking protection status

New Features

WordPress 3.9.33 introduces a new filter set_screen_option_{$option} that works alongside the existing set-screen-option filter to ensure backward compatibility in the admin area. This enhancement provides developers with more granular control over screen options while maintaining compatibility with existing code.

Security Updates

XML-RPC Security Enhancements

• Improved error messages for unprivileged users to prevent information disclosure
• Fixed handling of attachment IDs to return appropriate error messages

External Libraries

• Disabled deserialization in Requests_Utility_FilteredIterator to prevent potential security vulnerabilities

Embeds

• Disabled embeds on deactivated Multisite sites to prevent potential misuse

Escaping Functions

• Modified escaping functions to avoid potential false positives that could lead to security issues

Theme Security

• Ensured that only privileged users can set a background image when a theme is using the deprecated custom background page

Performance Improvements

No specific performance improvements were highlighted in this release.

Impact Summary

WordPress 3.9.33 is primarily a security-focused release that addresses several vulnerabilities across different components of the CMS. The most significant changes involve XML-RPC security improvements, prevention of deserialization attacks in external libraries, and better privilege checking for various administrative functions.

For developers, the release introduces a more consistent approach to screen option handling with improved parameter naming and backward compatibility. The addition of the set_screen_option_{$option} filter provides more granular control while maintaining compatibility with existing code.

Site administrators will benefit from enhanced security measures and better error handling, particularly in XML-RPC functionality and during installation processes. The fixes for embeds on deactivated Multisite sites and improved meta key sanitization further strengthen the overall security posture of WordPress installations.

This update demonstrates WordPress's ongoing commitment to security and maintaining backward compatibility, making it an essential upgrade for all WordPress users.