HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

WordPress

>

Releases

>

4.1.28

WordPress Release: 4.1.28

Tag Name: 4.1.28

Release Date: 10/14/2019

View Release
WordPress LogoWordPress

World's most popular open-source content management system powering over 40% of all websites. Offers extensive plugin ecosystem, themes, and robust community support for blogs, e-commerce, and corporate websites. Highly customizable and scalable platform suitable for beginners and advanced developers.

Open SourceBloggingWebsite Builder

TL;DR

WordPress 4.1.28 brings critical security fixes and developer improvements

This maintenance and security release addresses several important vulnerabilities in WordPress 4.1, including fixes for the HTTP API, filesystem API, and admin authentication. It also adds developer convenience with .nvmrc files for older WordPress versions to simplify development environment setup. This update is essential for all WordPress 4.1 installations to maintain security and stability.

Highlight of the Release

    • Multiple security fixes addressing vulnerabilities in HTTP API, Filesystem API, and admin authentication
    • Added .nvmrc files to older WordPress versions for easier development environment setup
    • Fixed REST API to properly send Vary: Origin header on GET requests
    • Improved Customizer with proper sanitization of background images

Migration Guide

No specific migration steps are required for this update. This is a maintenance and security release that should be applied to all WordPress 4.1 installations.

To update:

  1. Back up your WordPress files and database
  2. Update through the WordPress admin dashboard or download the update and install it manually
  3. No additional configuration changes are needed after updating

Upgrade Recommendations

Urgent Security Upgrade

This update is highly recommended for all WordPress 4.1 installations due to the security vulnerabilities addressed. The security fixes in this release protect against potential exploits in the HTTP API, filesystem API, and admin authentication.

While WordPress 4.1 is an older version that has reached end-of-life support, this security update is crucial for sites that haven't yet upgraded to newer WordPress versions. However, for long-term security and to benefit from the latest features, upgrading to the most recent WordPress version is strongly recommended.

Bug Fixes

Security and Bug Fixes

  • Query Component: Removed the static query property to fix potential issues with query handling.

  • HTTP API: Added protection against hex interpretation vulnerabilities that could potentially be exploited.

  • Filesystem API: Implemented safeguards to prevent directory traversal attacks when creating new folders, closing a security vulnerability.

  • Administration: Enhanced security by ensuring admin referer nonce validation is properly enforced.

  • Customizer: Improved sanitization of background images to prevent potential security issues.

New Features

Developer Improvements

  • Node Version Management: Added .nvmrc files to older WordPress versions (including 4.1) to simplify development environment setup when switching between branches. This helps developers automatically use the correct Node.js version for each WordPress version.

REST API Improvements

  • Added proper Vary: Origin header on GET requests to improve caching behavior and security.

Security Updates

Critical Security Fixes

This release includes several important security fixes:

  • HTTP API Protection: Added safeguards against hex interpretation vulnerabilities that could potentially allow malicious requests.

  • Filesystem API Security: Implemented protection against directory traversal attacks when creating new folders, preventing unauthorized access to server files.

  • Admin Authentication: Enhanced security by ensuring that admin referer nonces are properly validated, protecting against potential CSRF attacks.

  • Customizer Security: Improved sanitization of background images to prevent potential XSS or other injection attacks.

  • REST API Security: Added Vary: Origin header on GET requests to improve security of cross-origin requests.

Performance Improvements

No specific performance improvements were mentioned in this release. The focus appears to be on security fixes and developer enhancements rather than performance optimizations.

Impact Summary

WordPress 4.1.28 is primarily a security-focused release that addresses several critical vulnerabilities. The security fixes protect against potential exploits in the HTTP API, filesystem API, and admin authentication systems, making this an essential update for all WordPress 4.1 installations.

For developers, the addition of .nvmrc files improves the development workflow when working with older WordPress versions by automatically setting the correct Node.js version. This is particularly helpful for plugin and theme developers who need to maintain compatibility with multiple WordPress versions.

While WordPress 4.1 is no longer officially supported for new features, this security maintenance release demonstrates WordPress's commitment to protecting users on legacy versions. However, site owners should still plan to upgrade to a current WordPress version for ongoing security updates and feature improvements.

Statistics:

File Changed10
Line Additions74
Line Deletions12
Line Changes86
Total Commits4

User Affected:

  • Enhanced security against potential admin authentication vulnerabilities
  • Protected against directory traversal attacks in the filesystem API
  • Improved HTTP API security against hex interpretation exploits

Contributors:

whyisjakedesrosj