HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

WordPress

>

Releases

>

4.0.28

WordPress Release: 4.0.28

Tag Name: 4.0.28

Release Date: 10/14/2019

View Release
WordPress LogoWordPress

World's most popular open-source content management system powering over 40% of all websites. Offers extensive plugin ecosystem, themes, and robust community support for blogs, e-commerce, and corporate websites. Highly customizable and scalable platform suitable for beginners and advanced developers.

Open SourceBloggingWebsite Builder

TL;DR

WordPress 4.0.28 brings critical security fixes and developer improvements

This maintenance and security release addresses several important vulnerabilities in WordPress 4.0, including fixes for the HTTP API, filesystem API, and administration security. It also adds developer convenience with .nvmrc files for older WordPress versions to simplify development environment setup. This update is essential for all WordPress 4.0 installations to maintain security and stability.

Highlight of the Release

    • Multiple security fixes addressing vulnerabilities in HTTP API, Filesystem API, and admin authentication
    • Added .nvmrc files to older WordPress versions for improved developer workflow
    • Fixed REST API header handling with proper Vary: Origin headers
    • Improved Customizer security with proper background image sanitization

Migration Guide

No specific migration steps are required for this update. This is a maintenance and security release that should be applied directly to existing WordPress 4.0 installations.

To update:

  1. Back up your WordPress files and database
  2. Update through the WordPress admin dashboard or download the update and install manually
  3. No additional configuration changes are needed after updating

Upgrade Recommendations

Immediate Upgrade Recommended

This release contains critical security fixes that address multiple vulnerabilities in WordPress 4.0. All users running WordPress 4.0.27 or earlier in the 4.0 branch should update immediately to version 4.0.28.

While WordPress 4.0 is an older version of WordPress, sites still running this version should either:

  1. Update to WordPress 4.0.28 immediately as a minimum security measure
  2. Consider upgrading to the latest WordPress major version for improved security, features, and ongoing support

Security updates are essential regardless of which WordPress version you're running.

Bug Fixes

Query Component

  • Removed the static query property to fix potential issues with query handling

HTTP API

  • Added protection against hex interpretation vulnerabilities that could be exploited

Filesystem API

  • Prevented directory traversal attacks when creating new folders, closing a security vulnerability

Administration

  • Fixed security issue by ensuring admin referer nonce validation works correctly

REST API

  • Added proper Vary: Origin header on GET requests to improve security and caching behavior

Customizer

  • Improved security by properly sanitizing background images

New Features

Developer Workflow Improvement

  • Added .nvmrc files to older WordPress versions (including 4.0) to automatically use the correct Node.js version when switching between branches during development
  • This enhancement simplifies the development workflow when working across multiple WordPress versions

Security Updates

Critical Security Fixes

This release includes several important security fixes:

  • HTTP API: Protected against hex interpretation vulnerabilities that could potentially be exploited
  • Filesystem API: Prevented directory traversal attacks when creating new folders, which could allow unauthorized access to files outside intended directories
  • Administration: Enhanced security by ensuring proper validation of admin referer nonces, preventing potential CSRF attacks
  • REST API: Improved security by sending a Vary: Origin header on GET requests
  • Customizer: Added proper sanitization for background images to prevent potential XSS vulnerabilities

These security fixes address vulnerabilities that could potentially be exploited by malicious actors. All WordPress 4.0 installations should be updated immediately.

Performance Improvements

No specific performance improvements were mentioned in this release. The focus appears to be on security fixes and developer workflow enhancements.

Impact Summary

WordPress 4.0.28 is primarily a security-focused release that addresses several critical vulnerabilities that could potentially be exploited in older WordPress installations. The security fixes span multiple WordPress components including the HTTP API, Filesystem API, administration authentication, REST API, and Customizer.

For developers, the addition of .nvmrc files improves the workflow when working with older WordPress versions by automatically setting the correct Node.js version when switching branches.

This release demonstrates WordPress's commitment to maintaining security even for older versions of the software. While users should ideally upgrade to newer major versions of WordPress, this update ensures that those who must remain on WordPress 4.0 for compatibility reasons can still maintain a reasonable security posture.

The security fixes in this release are particularly important as they address potential vulnerabilities that could allow unauthorized access, code execution, or other security breaches if left unpatched.

Statistics:

File Changed10
Line Additions81
Line Deletions12
Line Changes93
Total Commits4

User Affected:

  • Enhanced security against potential admin referer nonce vulnerabilities
  • Protected against directory traversal attacks in the filesystem API
  • Improved security in the HTTP API against hex interpretation vulnerabilities

Contributors:

whyisjakedesrosj