WordPress Release: 3.9.38

TL;DR

WordPress 3.9.38 Security Release

This maintenance release includes several important security fixes that address vulnerabilities in WordPress 3.9. The update focuses primarily on hardening security around content processing, email handling, and widget display. Additionally, it introduces new strings to indicate security support status for future maintenance releases, helping users understand when their WordPress version will no longer receive security updates.

Highlight of the Release

• Multiple security fixes for content processing and validation
• Introduction of strings to indicate security support status for future releases
• Improved email handling security
• Enhanced protection for comments, trackbacks, and widgets

Migration Guide

No migration steps are required for this security update. Simply update to WordPress 3.9.38 through your admin dashboard or by downloading the update from wordpress.org.

Upgrade Recommendations

This is a security release that addresses multiple vulnerabilities. All WordPress 3.9 users are strongly encouraged to update immediately to version 3.9.38.

While WordPress 3.9 is an older version of WordPress, this security update is important for sites that haven't yet upgraded to more recent major versions. However, for optimal security and features, upgrading to the latest WordPress version is highly recommended.

Bug Fixes

No general bug fixes were included in this release. This update focuses exclusively on security fixes and enhancements.

New Features

New Support Status Indicators

Added new translatable strings that will be used in future maintenance/security releases to indicate:

• When a WordPress version is no longer receiving security updates
• When a WordPress version will shortly stop receiving security updates

These strings are being made available to translators in advance of implementation to ensure smooth transition when older WordPress versions reach end-of-support.

Security Updates

This release includes several important security enhancements:

• Content Processing:

  • Applied KSES filtering to post-by-email content to prevent potential XSS vulnerabilities
  • Applied KSES filtering to all trackbacks for improved security
  • Applied KSES when editing comments to prevent unauthorized script injection
  • Removed email addresses from post-by-email logs to protect user privacy

• Validation & Sanitization:

  • Improved host validation on the "Are you sure?" confirmation screen
  • Enhanced escaping of RSS error messages in widgets

• Email Handling:

  • Reset PHPMailer properties between uses to prevent information leakage between emails

Performance Improvements

No specific performance improvements were included in this security-focused release.

Impact Summary

WordPress 3.9.38 is primarily a security-focused release that addresses multiple vulnerabilities related to content processing, email handling, and widget display. The update introduces important security fixes including KSES filtering for various content types, improved host validation, and better email handling security.

Additionally, the release adds new strings to indicate security support status for future maintenance releases, which will help users understand when their WordPress version will no longer receive security updates. This proactive approach allows translators to prepare these strings before they're needed.

While this update is crucial for sites running WordPress 3.9, it's important to note that this is an older version of WordPress. For optimal security and functionality, upgrading to the latest WordPress version is recommended whenever possible.