WordPress Release: 3.9.37

TL;DR

WordPress 3.9.37 Release

This security maintenance release focuses on addressing several security vulnerabilities in WordPress 3.9. The update includes important security fixes for output escaping in various functions, ensuring bookmark query limits are properly validated, and improvements to the GitHub Actions workflow for Slack notifications. This release is part of WordPress's ongoing commitment to maintain security for legacy versions.

Highlight of the Release

• Security fixes for output escaping in the_meta() function
• Validation improvements for bookmark query limits
• Enhanced security for plugin error messages
• Updated GitHub Actions workflow for Slack notifications

Migration Guide

No migration steps are required for this security update. This is a direct update that fixes security vulnerabilities without changing functionality or requiring any action from users beyond updating to the latest version.

Upgrade Recommendations

It is strongly recommended that all WordPress 3.9 sites be updated to version 3.9.37 immediately to address the security vulnerabilities fixed in this release.

While WordPress 3.9 is no longer officially supported with regular updates, the WordPress security team continues to provide security fixes for legacy versions as a courtesy. However, for the best security and features, users should consider upgrading to the latest supported WordPress version.

Bug Fixes

Security Bug Fixes

• Posts & Post Types: Fixed potential XSS vulnerability by properly escaping output within the the_meta() function.
• General: Added validation to ensure bookmark query limits are numeric, preventing potential security issues.
• Plugins: Enhanced security by properly escaping output in plugin error messages.

Development Workflow Fixes

• Removed reliance on the workflow_run event for posting Slack notifications.
• Deleted workflows that were mistakenly backported and not relevant to this branch.
• Fixed various GitHub Actions related issues to maintain tooling consistency.

New Features

No significant new features were added in this maintenance release. WordPress 3.9.37 focuses primarily on security fixes and workflow improvements for the development process.

Security Updates

Security Enhancements

• XSS Protection: Fixed a cross-site scripting vulnerability in the the_meta() function by properly escaping output.
• Input Validation: Added proper validation to ensure bookmark query limits are numeric, preventing potential SQL injection attacks.
• Output Escaping: Enhanced security in plugin error messages by properly escaping output, reducing the risk of XSS attacks.

These security fixes address vulnerabilities that could potentially be exploited to compromise WordPress sites. The changes were contributed by tykoted, martinkrcho, xknown, dd32, peterwilsoncc, paulkevan, and timothyblynjacobs.

Performance Improvements

This release does not contain any significant performance improvements. The changes are primarily focused on security enhancements and development workflow improvements.

Impact Summary

WordPress 3.9.37 is a security maintenance release that addresses several important vulnerabilities. The update focuses on fixing potential XSS issues by properly escaping output in the the_meta() function, ensuring bookmark query limits are properly validated as numeric values, and enhancing security in plugin error messages.

This release also includes improvements to the development workflow, particularly around GitHub Actions and Slack notifications, which helps maintain consistency in the development tooling across branches that still receive security updates.

While WordPress 3.9 is no longer officially supported with regular updates, this release demonstrates WordPress's commitment to providing security fixes for legacy versions when critical vulnerabilities are discovered. Site administrators should update immediately to protect their websites from potential security threats.