WordPress Release: 4.0.19

TL;DR

WordPress 4.0.19 is a security and maintenance release that addresses several important security vulnerabilities and improves the stability of the 4.0 branch. This update includes critical security fixes for the editor, database handling, and filesystem operations, along with improvements to TinyMCE shortcode previews and test infrastructure updates. All WordPress 4.0 users should update immediately to protect their sites from potential security threats.

Highlight of the Release

• Multiple security fixes including prevention of javascript: and data: URLs in the editor
• Database hardening with improved wpdb::prepare() handling
• Enhanced protection against malformed file paths in the Filesystem API
• Improved TinyMCE shortcode previews
• Better URL escaping and security hardening throughout the admin area

Migration Guide

No specific migration steps are required for this update. This is a standard security and maintenance release that should be applied through the normal WordPress update process.

To update:

1. Back up your WordPress files and database
2. Update through the WordPress admin dashboard or download the update and install it manually
3. No database schema changes or special configuration adjustments are needed after updating

Upgrade Recommendations

Immediate upgrade is strongly recommended for all WordPress 4.0 users.

This release contains several important security fixes that address vulnerabilities in the WordPress core. Sites running WordPress 4.0.18 or earlier versions may be at risk of security exploits.

While WordPress 4.0 is an older branch and no longer receives regular feature updates, security fixes are still being backported to protect sites that haven't upgraded to newer major versions. However, users are encouraged to consider upgrading to a more recent WordPress major version when possible for additional features, improvements, and ongoing support.

Bug Fixes

Security and Bug Fixes

• Editor: Prevented adding javascript: and data: URLs through the inline link dialog, closing a potential security vulnerability
• Users: Added a fallback for incorrect HTTP referrers to improve reliability
• Admin Area: Added missing URL-encoding and extra hardening to plugin and template names when displayed in the admin area
• Filesystem API: Ensured filenames are valid before attempting to unzip them to prevent issues with malformed file paths
• Database: Multiple hardening improvements to wpdb::prepare():
  • Ignored additional values when arrays are passed for placeholders
  • Prevented triggering _doing_it_wrong() for null values
  • Improved escaping of non-placeholder percentage signs to align with documentation
• Users: Implemented correct escaping function for URLs to prevent potential security issues
• Testing: Fixed several failing tests and removed outdated test cases

New Features

No significant new features were added in this maintenance release. WordPress 4.0.19 focuses primarily on security enhancements and bug fixes to improve the stability and security of the 4.0 branch.

Security Updates

• Editor Security: Prevented the addition of potentially malicious javascript: and data: URLs through the inline link dialog, which could be used for XSS attacks
• URL Handling: Improved URL encoding and escaping throughout the admin area, particularly for plugin and template names
• Filesystem Protection: Enhanced validation of filenames before unzipping to prevent directory traversal attacks and other issues with malformed file paths
• Database Security: Multiple hardening improvements to wpdb::prepare() to prevent SQL injection vulnerabilities:
  • Enforced stricter handling of placeholders and values
  • Improved escaping of percentage signs in queries
  • Better alignment with documented behavior for placeholder handling
• User Management: Implemented proper URL escaping in user-related functions to prevent potential security issues

Performance Improvements

This release does not contain specific performance improvements. The focus was primarily on security enhancements and bug fixes rather than performance optimizations.

Impact Summary

WordPress 4.0.19 is primarily a security-focused maintenance release that addresses several important vulnerabilities. The most significant changes involve hardening the database layer through improvements to wpdb::prepare(), preventing potentially malicious URLs in the editor, and enhancing filesystem security.

These security fixes protect sites from potential XSS attacks, SQL injection vulnerabilities, and filesystem exploitation. The changes are implemented in ways that maintain backward compatibility while improving security posture.

For developers, the most notable changes are the stricter handling of database query preparation, which now more closely follows the documented behavior. This might affect plugins that were relying on undocumented behavior of wpdb::prepare().

For content creators and administrators, the improvements to TinyMCE shortcode previews provide a better editing experience, while the security enhancements work behind the scenes to protect the site without changing the user interface or workflow.

Overall, this release represents an important security update that should be applied promptly, even though it doesn't introduce new features or significant visible changes to the WordPress experience.