WordPress Release: 4.0.36

TL;DR

WordPress 4.0.36 brings important security fixes and GitHub Actions workflow improvements

This maintenance release focuses on security enhancements by addressing output escaping vulnerabilities in several core functions. It also includes significant improvements to the GitHub Actions workflow infrastructure, replacing the previous Slack notification system with a more efficient reusable workflow approach. This update is part of WordPress's ongoing commitment to maintaining security for older branches that still receive courtesy updates.

Highlight of the Release

• Security fixes for output escaping in the_meta() function
• Security enhancement ensuring bookmark query limits are numeric
• Improved output escaping in plugin error messages
• Upgraded GitHub Actions workflow infrastructure with reusable Slack notifications

Migration Guide

No migration steps are required for this update. This is a maintenance release that focuses on security fixes and does not introduce any breaking changes or features that would require migration efforts.

Simply update to WordPress 4.0.36 through your admin dashboard or by downloading the update from the WordPress.org website.

Upgrade Recommendations

Priority: High

All WordPress sites running version 4.0.x should update to version 4.0.36 as soon as possible due to the security fixes included in this release.

While WordPress 4.0 is an older branch that is no longer officially supported for regular updates, the WordPress security team continues to provide courtesy security updates for these versions. However, for the best security and features, users are strongly encouraged to upgrade to the latest major version of WordPress.

The update process should be straightforward with no expected compatibility issues:

Bug Fixes

Security-Related Bug Fixes

• Posts, Post Types: Fixed potential XSS vulnerability by properly escaping output within the the_meta() function.
• General: Added validation to ensure bookmark query limits are numeric, preventing potential security issues.
• Plugins: Enhanced security by properly escaping output in plugin error messages.

Props to tykoted, martinkrcho, xknown, dd32, peterwilsoncc, paulkevan, and timothyblynjacobs for their contributions to these fixes.

New Features

No new features were added in this maintenance release. WordPress 4.0.36 focuses on security fixes and infrastructure improvements for the development workflow.

Security Updates

Security Enhancements

This release addresses several security vulnerabilities:

1. XSS Protection in Post Meta: Fixed improper output escaping in the the_meta() function that could potentially allow Cross-Site Scripting (XSS) attacks.

2. Bookmark Query Validation: Added validation to ensure bookmark query limits are numeric values, preventing potential SQL injection or other query manipulation attacks.

3. Plugin Error Message Escaping: Improved security by properly escaping output in plugin error messages, preventing potential XSS vulnerabilities.

These security fixes are part of WordPress's ongoing commitment to maintaining security even for older branches that still receive courtesy updates when necessary.

Performance Improvements

No specific performance improvements were included in this release. The changes were focused on security fixes and development workflow enhancements.

Impact Summary

WordPress 4.0.36 is primarily a security maintenance release for the 4.0 branch, which is no longer officially supported but still receives courtesy security updates. The release addresses several security vulnerabilities related to output escaping and input validation, which could potentially be exploited for XSS attacks or query manipulation.

The most significant changes are security fixes for the the_meta() function, bookmark query limits validation, and plugin error message output escaping. These changes help protect WordPress sites from potential security threats without changing any user-facing functionality.

Additionally, the release includes improvements to the GitHub Actions workflow infrastructure used by WordPress core contributors, replacing the previous Slack notification system with a more efficient reusable workflow approach. This change streamlines the development process but has no impact on WordPress users or site functionality.

While this update is important for sites still running WordPress 4.0.x, users are strongly encouraged to upgrade to the latest major version of WordPress for full security support and access to modern features.