WordPress Release: 4.1.37

TL;DR

WordPress 4.1.37 Security Release

This maintenance release focuses primarily on security enhancements for WordPress 4.1. It introduces new strings to indicate security support status for WordPress versions and includes multiple security fixes related to content sanitization, validation, and email handling. This release is part of WordPress's ongoing commitment to maintain security for older versions while preparing users for eventual end-of-support transitions.

Highlight of the Release

• Introduction of strings to indicate security support status for WordPress versions
• Multiple security enhancements for content sanitization and validation
• Improved security for post-by-email functionality
• Enhanced protection for comments, trackbacks, and pingbacks
• Fixed potential vulnerabilities in WordPress core components

Migration Guide

No specific migration steps are required for this security update. Site administrators should update to WordPress 4.1.37 as soon as possible to ensure their sites benefit from these security enhancements.

Upgrade Recommendations

It is strongly recommended that all WordPress 4.1.x sites be updated to version 4.1.37 immediately to benefit from these security enhancements.

While WordPress 4.1 is an older version of the CMS, this security release demonstrates WordPress's commitment to maintaining security for legacy versions. However, for optimal security and features, users should consider upgrading to the latest major version of WordPress when possible.

Bug Fixes

• Fixed issues with email handling in WordPress core
• Addressed potential security vulnerabilities in the post-by-email functionality
• Resolved issues with PHPMailer property persistence between uses
• Fixed validation issues in WP_Date_Query relation parameter
• Addressed potential security concerns with RSS error message display

New Features

New Support Status Indicators

• Added new translatable strings to indicate when a WordPress version is no longer receiving security updates
• Added strings to notify users when a WordPress version will shortly stop receiving security updates
• These strings are being made available to translators in preparation for future maintenance/security releases

Security Updates

Security Enhancements

• Content Sanitization: Applied KSES filtering to post-by-email content to prevent potential XSS vulnerabilities
• Host Validation: Improved validation on the "Are you sure?" confirmation screen
• Privacy Protection: Removed email addresses from post-by-email logs
• Trackback Security: Applied KSES filtering to all trackbacks to prevent potential injection attacks
• Comment Protection: Enhanced security when editing comments by applying proper content sanitization
• Email Security: Reset PHPMailer properties between uses to prevent information leakage
• Query Validation: Improved validation for relation parameters in WP_Date_Query
• Widget Security: Escaped RSS error messages for display to prevent potential XSS vulnerabilities

Performance Improvements

No specific performance improvements were mentioned in this security-focused release.

Impact Summary

WordPress 4.1.37 is primarily a security-focused maintenance release that addresses multiple potential vulnerabilities across various WordPress components. The release introduces strings to indicate security support status, which will be used in future releases to notify users when their WordPress version is approaching or has reached end-of-security-support.

The security enhancements focus on proper content sanitization, input validation, and protection against common web vulnerabilities like XSS attacks. Particularly notable are the improvements to post-by-email functionality, trackback handling, comment editing, and widget display.

This release is part of WordPress's ongoing commitment to maintaining security for older versions while also preparing users for eventual transitions when security support ends for specific versions. While no immediate action beyond updating is required, site owners should be aware that these new status indicator strings suggest WordPress 4.1 may be approaching end-of-security-support in the future.