WordPress Release: 4.1.29

TL;DR

WordPress 4.1.29 is a security-focused maintenance release that patches a vulnerability in the wp_kses_bad_protocol() function. This update prevents attackers from bypassing security validations by using HTML5 named entities like : in URI attributes. The fix ensures that WordPress properly sanitizes user input, protecting sites from potential XSS attacks.

Highlight of the Release

• Security fix for the wp_kses_bad_protocol() function to prevent bypassing URL protocol validation
• Improved handling of HTML5 named entities in URI attributes
• Protection against potential XSS vulnerabilities

Migration Guide

No migration steps are required for this update. This is a straightforward security patch that doesn't introduce any breaking changes or require configuration adjustments.

Simply update your WordPress installation to version 4.1.29 through your admin dashboard or via your preferred update method.

Upgrade Recommendations

Immediate upgrade recommended for all WordPress 4.1.x installations.

This security release addresses a vulnerability that could potentially be exploited for XSS attacks. All users running WordPress 4.1.x should update to version 4.1.29 as soon as possible to protect their sites.

However, it's important to note that WordPress 4.1 is an older branch that reached end-of-life status several years ago. While this security patch has been backported to the 4.1 branch, we strongly recommend upgrading to the latest supported WordPress version for comprehensive security protection and access to new features.

Bug Fixes

Security Bug Fix

The release fixes a vulnerability in the wp_kses_bad_protocol() function that could allow attackers to bypass security validations:

• Updated wp_kses_bad_protocol() to properly recognize and handle the : HTML5 named entity in URI attributes
• Fixed a potential security bypass where malicious users could use HTML entity encoding to circumvent protocol validation
• Backported the security fix from a more recent WordPress version (r46895) to the 4.1 branch

New Features

No new features were introduced in this maintenance release. WordPress 4.1.29 focuses exclusively on addressing a security vulnerability.

Security Updates

Security Vulnerability Patch

This release addresses an important security vulnerability:

• Fixed a security issue in wp_kses_bad_protocol() where attackers could potentially bypass URL protocol validation by using the : HTML5 named entity in URI attributes
• This vulnerability could potentially be exploited for cross-site scripting (XSS) attacks by injecting malicious protocols into URLs
• The fix ensures that WordPress properly recognizes HTML5 named entities when validating URI attributes, preventing this bypass technique

Props to xknown, nickdaugherty, and peterwilsoncc for identifying and addressing this security issue.

Performance Improvements

No specific performance improvements were included in this release. WordPress 4.1.29 is focused on security enhancements rather than performance optimizations.

Impact Summary

WordPress 4.1.29 delivers a critical security fix that addresses a vulnerability in the way WordPress validates URL protocols. By updating the wp_kses_bad_protocol() function to properly handle HTML5 named entities like :, this release closes a potential attack vector that could be exploited for cross-site scripting (XSS) attacks.

The security patch is particularly important for sites that allow users to submit content containing URLs, as it prevents malicious actors from bypassing WordPress's protocol validation mechanisms. While this is a targeted fix addressing a specific vulnerability, it highlights WordPress's ongoing commitment to security maintenance even for older branches.

For most users, this update will be transparent with no visible changes to functionality. The impact is entirely focused on improving the security posture of WordPress installations still running on the 4.1 branch.