WordPress Release: 4.0.2

TL;DR

WordPress 4.0.2 is a security and maintenance release that addresses several important security vulnerabilities and includes various bug fixes. This update focuses on improving database query security, fixing issues with TinyMCE, updating Plupload, and enhancing multisite functionality. All WordPress users are strongly encouraged to update immediately to protect their sites from potential security threats.

Highlight of the Release

• Critical security fixes for SQL injection vulnerabilities
• Improved database query sanitization and validation
• Enhanced multisite functionality to prevent unintentional site switching
• Updated Plupload Flash component to latest version
• Fixed TinyMCE editor issues

Migration Guide

No specific migration steps are required when updating to WordPress 4.0.2. This is a maintenance and security release that should be compatible with all plugins and themes that work with WordPress 4.0.

Update Process:

1. Back up your WordPress site (files and database) before updating
2. Update through the WordPress admin dashboard or download the update from wordpress.org
3. If you're using a caching plugin, clear your cache after updating

Developer Notes:

• If you've extended the wpdb class in your custom code, note that $checking_collation is now correctly marked as private instead of protected
• If your code relies on TinyMCE backwards compatibility features, you may need to update your implementation as some legacy code has been removed

Upgrade Recommendations

Immediate Update Strongly Recommended

This release contains critical security fixes that address SQL injection vulnerabilities and other security issues. All WordPress users should update to version 4.0.2 immediately to protect their sites from potential security threats.

The security improvements in this release are significant and protect against several vulnerabilities that could be exploited by malicious actors. The update process is straightforward and should not cause any compatibility issues with existing plugins or themes.

Priority level: High - Update as soon as possible

Bug Fixes

Database Query Handling

• Fixed issues with database query sanitization in sanitize_sql_orderby()
• Corrected the visibility modifier for wpdb::$checking_collation from protected to private
• Improved handling of edge cases in SQL query sanitization
• Added early returns for performance optimization in collation checking

TinyMCE and Media

• Removed outdated backwards compatibility code from TinyMCE
• Updated Plupload Flash file to the latest version for improved security and functionality
• Fixed issues with the editor for more reliable content creation

Multisite and Dashboard

• Fixed an issue where plugins could unintentionally switch sites in multisite installations
• Ensured post titles are correctly escaped on the Dashboard
• Improved multisite functionality with better site switching controls

Testing

• Backported PHPUnit test fixes to improve development workflow
• Added missing unit tests for database collation checking

New Features

No significant new features were introduced in this maintenance release. WordPress 4.0.2 focuses primarily on security enhancements and bug fixes to improve the stability and security of the platform.

Security Updates

Critical Security Fixes

• SQL Injection Protection: Implemented query sanity checks to prevent SQL injection vulnerabilities
• Database Query Sanitization: Enhanced sanitize_sql_orderby() function to properly sanitize and validate SQL queries
• Multisite Security: Prevented plugins from unintentionally switching sites in multisite installations, which could lead to security issues
• Dashboard Security: Ensured post titles are correctly escaped on the Dashboard to prevent potential XSS attacks
• Media Upload Security: Updated the Plupload Flash component to the latest version to address potential security vulnerabilities

These security fixes address several vulnerabilities that could potentially be exploited by malicious actors. All WordPress users are strongly encouraged to update to version 4.0.2 immediately to protect their sites.

Performance Improvements

Database Query Performance

• Optimized database collation checking with early returns when possible
• Improved query handling efficiency with better sanitization methods
• Enhanced database operations with improved collation handling

General Performance

• Removed unnecessary backwards compatibility code from TinyMCE, reducing overhead
• Streamlined query sanity checks for better performance
• Optimized multisite functionality to prevent unnecessary site switching

Impact Summary

WordPress 4.0.2 is primarily a security-focused maintenance release that addresses several critical vulnerabilities, particularly related to SQL injection protection. The update significantly improves the security posture of WordPress sites by enhancing database query sanitization, fixing multisite security issues, and updating components like Plupload to their latest versions.

For site administrators, this release provides essential protection against potential attacks while also improving the stability of core WordPress functions. The database query handling improvements not only enhance security but also optimize performance in certain operations.

Content creators will benefit from fixes to the TinyMCE editor and properly escaped post titles on the Dashboard, resulting in a more reliable content creation experience. Developers will appreciate the improved database query security and fixed PHPUnit tests for better development workflows.

While this release doesn't introduce new features, its security enhancements are crucial for maintaining the integrity and safety of WordPress websites. The update is backward compatible and should not cause any issues with existing plugins or themes.