WordPress Release: 4.1.32

TL;DR

WordPress 4.1.32 is a security and maintenance release that addresses several important security vulnerabilities and improves error handling across multiple components. This update focuses on enhancing security for XML-RPC, embeds, meta handling, and theme functionality while also improving administrative screen options and error messaging. The release is particularly important for site administrators as it patches potential security issues that could be exploited by malicious actors.

Highlight of the Release

• Enhanced security for XML-RPC with improved error handling and validation
• Disabled embeds on deactivated Multisite sites to prevent potential security issues
• Improved screen option handling in admin interfaces with better backward compatibility
• Modified escaping functions to avoid potential false positives in security checks
• Better sanitization of meta keys before checking protection status

Migration Guide

No significant migration steps are required for this security and maintenance release. Site administrators should update to WordPress 4.1.32 as soon as possible to ensure their sites are protected against the security vulnerabilities addressed in this release.

For developers who have implemented custom screen option handling using the set-screen-option filter, note that there is now an additional filter set_screen_option_{$option} that provides more granular control. Your existing code should continue to work as expected due to the backward compatibility measures implemented in this release.

Upgrade Recommendations

Immediate Upgrade Recommended

This release contains important security fixes that address multiple vulnerabilities. All WordPress site administrators running version 4.1.x should upgrade to version 4.1.32 immediately to protect their sites.

The security improvements in this release help protect against:

• Potential XML-RPC vulnerabilities
• Security issues with embeds on deactivated Multisite sites
• Meta handling vulnerabilities
• Unauthorized theme modifications

As this is primarily a security release, the risk of compatibility issues with existing functionality is minimal compared to the security benefits provided by the update.

Bug Fixes

Administration

• Fixed screen option handling to ensure backward compatibility by passing the result of set-screen-option filter to the new set_screen_option_{$option} filter
• Renamed the $keep parameter to $screen_option in both filters for better clarity

XML-RPC

• Improved error messages for unprivileged users attempting unauthorized actions
• Fixed error handling when attachment ID is incorrect in XML-RPC requests

Installation and Upgrades

• Enhanced logic check when determining installation status to prevent potential issues

Theme Functionality

• Fixed security issue where non-privileged users could potentially set a background image when a theme is using the deprecated custom background page

New Features

New Filter for Screen Options

A new filter set_screen_option_{$option} has been introduced to ensure backward compatibility when handling screen options in the WordPress admin. This complements the existing set-screen-option filter, providing developers with more granular control over specific screen options.

Security Updates

XML-RPC Security

• Enhanced error messages for unprivileged users to prevent information disclosure
• Improved validation of attachment IDs to prevent potential security issues

Embed Security

• Disabled embeds on deactivated Multisite sites to prevent potential security vulnerabilities

Meta Handling

• Added proper sanitization of meta keys before checking protection status to prevent potential security issues

Theme Security

• Fixed vulnerability where non-privileged users could potentially set a background image when a theme uses the deprecated custom background page

Escaping Functions

• Modified escaping functions to avoid potential false positives that could lead to security vulnerabilities

Performance Improvements

External Libraries

• Disabled deserialization in Requests_Utility_FilteredIterator to prevent potential performance and security issues

Error Handling

• Improved error messaging and validation across multiple components, reducing unnecessary processing for invalid requests

Impact Summary

WordPress 4.1.32 is a security-focused maintenance release that addresses several important vulnerabilities and improves error handling across the platform. The update enhances security for XML-RPC functionality, embeds on Multisite installations, meta handling, and theme functionality.

For site administrators, this release provides critical security patches that should be applied immediately to protect sites from potential exploits. The improvements to error messaging also help prevent information disclosure to unprivileged users.

For developers, the release introduces a new filter for screen options that maintains backward compatibility while providing more granular control. The renaming of parameters for clarity and documentation updates will help with future development.

The security enhancements in this release are particularly important for sites that use XML-RPC functionality, have Multisite installations, or use themes with custom background functionality. By addressing these vulnerabilities, WordPress continues to prioritize the security and stability of the platform for all users.