WordPress Release: 4.0.25

TL;DR

WordPress 4.0.25 is a security and maintenance release that addresses several important issues. It improves MIME file type verification, enhances KSES security filtering, fixes multisite activation issues, and prevents unwanted fields from being saved during post editing.

This release focuses primarily on security hardening and bug fixes, making WordPress installations more secure against potential vulnerabilities. Site administrators should update immediately to protect their sites from possible security issues.

Highlight of the Release

• Improved security for MIME file type verification to prevent malicious file uploads
• Enhanced KSES security filtering with better handling of form elements and URI attributes
• Fixed multisite user activation issues and improved messaging for previously activated users
• Prevented unwanted fields (meta_input, file, guid) from being saved during post editing

Migration Guide

No specific migration steps are required for this release. WordPress 4.0.25 is a maintenance and security release that should be compatible with existing WordPress 4.0.x installations.

However, if you have custom code that:

1. Relies on the <form> element being in $allowedposttags
2. Manipulates URI attributes in KSES
3. Directly interacts with the post editor's handling of meta_input, file, or guid fields

You may need to review and update your code to ensure compatibility with the security changes in this release.

Upgrade Recommendations

Immediate Update Recommended

This release contains several important security fixes that protect WordPress sites from potential vulnerabilities. All WordPress site administrators should update to version 4.0.25 as soon as possible.

The update process should be straightforward:

1. Back up your WordPress site (files and database)
2. Update through the WordPress dashboard or download and install the update manually
3. Test your site functionality after the update

No major compatibility issues have been reported with this release, making it a safe and important update for all WordPress 4.0.x installations.

Bug Fixes

Multisite Activation Improvements

• Fixed an issue where users could attempt to activate a site multiple times
• Improved messaging for users who follow activation links more than once
• Enhanced validation of activation links for better security and user experience

KSES Form Element Handling

• Conditionally removed the <form> element from $allowedposttags
• Added backward compatibility to re-add <form> if custom filters have added <input> or <select> elements
• This prevents potential security issues while maintaining compatibility with existing customizations

Post Editor Security

• Removed the ability to update meta_input, file, and guid fields through user input
• These fields are not intended to be updated directly and could potentially be exploited

New Features

New KSES URI Attributes Function

A new wp_kses_uri_attributes function has been introduced to centralize the list of URI attributes in WordPress. This function makes the code more maintainable by implementing the DRY (Don't Repeat Yourself) principle for URI attributes handling. Additionally, a new filter wp_kses_uri_attributes is now available, allowing plugins to customize which attributes are treated as URIs for security filtering purposes.

Security Updates

Media File Type Verification

Improved verification of MIME file types to prevent potential security vulnerabilities related to file uploads. This enhancement helps protect WordPress sites from malicious file upload attempts.

KSES Security Enhancements

• Conditionally removed the <form> element from allowed post tags to prevent potential XSS vulnerabilities
• Implemented a more secure and consistent approach to handling URI attributes through the new wp_kses_uri_attributes function
• These changes strengthen WordPress's defense against cross-site scripting attacks

Post Editor Security

Removed the ability to update meta_input, file, and guid fields through user input during post editing. These fields are not intended to be updated directly and could potentially be exploited for malicious purposes.

Multisite Activation Security

Improved validation of activation links in multisite installations to prevent potential security issues related to user activation.

Performance Improvements

No specific performance improvements were mentioned in this release. The changes focus primarily on security enhancements and bug fixes rather than performance optimizations.

Impact Summary

WordPress 4.0.25 is primarily a security-focused release that addresses several potential vulnerabilities and improves the overall security posture of WordPress sites. The changes to MIME file type verification, KSES filtering, and post editing security help protect sites from common attack vectors.

For multisite installations, the improvements to user activation processes enhance both security and user experience by preventing duplicate activation attempts and providing clearer messaging.

The introduction of the wp_kses_uri_attributes function and filter provides developers with a more consistent and maintainable way to work with URI attributes in security filtering contexts.

While this release doesn't introduce major new features or performance improvements, its security enhancements are critical for maintaining the integrity and safety of WordPress websites. The changes are focused on hardening WordPress against potential exploits while maintaining backward compatibility.