HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

WordPress

>

Releases

>

4.0.37

WordPress Release: 4.0.37

Tag Name: 4.0.37

Release Date: 10/17/2022

View Release
WordPress LogoWordPress

World's most popular open-source content management system powering over 40% of all websites. Offers extensive plugin ecosystem, themes, and robust community support for blogs, e-commerce, and corporate websites. Highly customizable and scalable platform suitable for beginners and advanced developers.

Open SourceBloggingWebsite Builder

TL;DR

WordPress 4.0.37: Security Maintenance Release

This maintenance release focuses primarily on security enhancements for WordPress 4.0. It introduces strings for future security support status notifications and includes several security fixes related to content sanitization, email handling, and input validation. This release is part of WordPress's ongoing commitment to maintain security for older versions of the platform.

Highlight of the Release

    • Introduction of strings to indicate security support status for WordPress versions
    • Multiple security enhancements for content sanitization across the platform
    • Improved email handling security, including post-by-email functionality
    • Better protection for trackbacks, comments, and widget content

Migration Guide

No migration steps are required for this security maintenance release. Simply update to WordPress 4.0.37 to receive all the security enhancements.

Upgrade Recommendations

It is strongly recommended that all WordPress 4.0 sites update to version 4.0.37 immediately to benefit from these security enhancements.

While WordPress 4.0 is an older version of the platform, this security release demonstrates WordPress's commitment to maintaining security for sites that haven't yet upgraded to newer major versions.

For optimal security and features, consider upgrading to the latest version of WordPress if your site is compatible.

Bug Fixes

Security Fixes

  • Post-by-Email: Applied KSES to post-by-email content to prevent potential security issues
  • Post-by-Email: Removed email addresses from post-by-email logs for better privacy
  • Host Validation: Improved validation on the "Are you sure?" confirmation screen
  • Trackbacks/Pingbacks: Applied KSES to all trackbacks to prevent XSS vulnerabilities
  • Comments: Enhanced security by applying KSES when editing comments
  • Email Handling: Reset PHPMailer properties between uses to prevent information leakage
  • Widgets: Escaped RSS error messages for display to prevent potential XSS issues

New Features

New Support Status Notification Strings

This release introduces new strings that will be used in future maintenance and security releases to indicate the security support status of WordPress versions:

  • A string indicating when a WordPress version is no longer receiving security updates
  • A string indicating when a WordPress version will shortly stop receiving security updates

These strings have been added to make them available to translators before they're actively used in future releases when dropping support for selected WordPress versions.

Security Updates

Security Enhancements

This release includes several important security fixes:

  1. Content Sanitization Improvements:

    • Applied KSES filtering to post-by-email content
    • Enhanced security for trackbacks by applying KSES
    • Improved comment editing security with KSES application
    • Escaped RSS error messages in widgets

  2. Email Security:

    • Removed email addresses from post-by-email logs
    • Reset PHPMailer properties between uses to prevent information leakage

  3. Input Validation:

    • Improved host validation on confirmation screens

These changes help protect WordPress 4.0 sites against potential cross-site scripting (XSS) vulnerabilities and other security issues.

Performance Improvements

No specific performance improvements were mentioned in this security-focused release.

Impact Summary

WordPress 4.0.37 is a security-focused maintenance release that strengthens the platform's defenses against potential vulnerabilities. The primary impact is improved security across multiple areas including content handling, email functionality, and input validation.

The introduction of security support status strings prepares the way for future notifications about version support, which will help administrators better understand when their WordPress installation needs updating.

This release continues WordPress's commitment to maintaining security for older versions while encouraging users to eventually upgrade to newer, fully-supported versions of the platform. The security fixes address potential vulnerabilities that could be exploited if left unpatched, making this an important update for all WordPress 4.0 sites.

Statistics:

File Changed10
Line Additions64
Line Deletions9
Line Changes73
Total Commits4

User Affected:

  • Enhanced security for post-by-email functionality
  • Improved protection against potential security vulnerabilities
  • Better sanitization of trackbacks, comments, and RSS error messages

Contributors:

peterwilsonccSergeyBiryukov