HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

WordPress

>

Releases

>

4.2.16

WordPress Release: 4.2.16

Tag Name: 4.2.16

Release Date: 9/19/2017

View Release
WordPress LogoWordPress

World's most popular open-source content management system powering over 40% of all websites. Offers extensive plugin ecosystem, themes, and robust community support for blogs, e-commerce, and corporate websites. Highly customizable and scalable platform suitable for beginners and advanced developers.

Open SourceBloggingWebsite Builder

TL;DR

WordPress 4.2.16 is a security and maintenance release that addresses several important security vulnerabilities and includes improvements to the editor, database handling, and test infrastructure. This update focuses on hardening WordPress against potential security issues, particularly in URL handling, database preparation, and file system operations.

Highlight of the Release

    • Security hardening for wpdb::prepare() to prevent SQL injection vulnerabilities
    • Prevention of javascript: and data: URLs in the inline link dialog
    • Improved validation of file paths during unzipping operations
    • Enhanced URL encoding and hardening for plugin and template names in admin areas
    • Improved shortcode previews in the TinyMCE editor

Migration Guide

Migration Notes

This release primarily contains security fixes and doesn't require specific migration steps. However, developers should note:

  • If your code uses wpdb::prepare() with non-standard placeholders or null values, you may need to update it
  • Only %s, %d, and %F are supported as placeholders in wpdb::prepare()
  • Any other non-escaped % characters will now be escaped
  • While wpdb::prepare() does not officially support null values, the function will no longer trigger _doing_it_wrong() notices for null values to maintain compatibility with plugins like WordPress Importer

Upgrade Recommendations

Immediate upgrade recommended for all installations.

This release contains important security fixes that protect your WordPress site from potential vulnerabilities. Given the security-focused nature of this update, all WordPress site owners should update to version 4.2.16 as soon as possible.

If you're running an older version of the 4.2 branch, updating to 4.2.16 is strongly recommended to ensure your site remains secure against known vulnerabilities.

Bug Fixes

  • Fixed handling of incorrect HTTP referrers for users
  • Improved URL escaping for user-related functions
  • Addressed issues with wpdb::prepare() handling of null values to prevent unnecessary warnings
  • Fixed potential issues with malformed file paths during unzipping operations
  • Corrected URL encoding for plugin and template names in admin displays

New Features

No significant new features were added in this release. WordPress 4.2.16 is primarily a security and maintenance release focused on fixing vulnerabilities and improving existing functionality.

Security Updates

  • Editor Security: Prevented adding potentially malicious javascript: and data: URLs through the inline link dialog
  • Admin Security: Added missing URL-encoding and extra hardening to plugin and template names when displayed in the admin area
  • Filesystem Security: Enhanced validation of filenames before unzipping to prevent issues with malformed file paths
  • Database Security: Multiple hardening improvements to wpdb::prepare():
    • Prevented additional values from being processed when arrays are passed as placeholders
    • Aligned behavior with documentation by properly handling placeholders (%s, %d, and %F)
    • Improved escaping of percentage signs in query strings
  • User Security: Implemented proper URL escaping for user-related functions

Performance Improvements

The release includes updates to the test infrastructure, including:

  • Removed mentions of HHVM from the test infrastructure on Travis
  • Switched PHP 5.2 testing to Travis' Ubuntu precise image
  • Updated to use the latest versions in the 4.x and 5.x branches of PHPUnit when running tests

These changes improve the development and testing workflow but don't directly impact end-user performance.

Impact Summary

WordPress 4.2.16 is a critical security release that addresses multiple vulnerabilities that could potentially be exploited by malicious actors. The update focuses on hardening WordPress against SQL injection attacks through improvements to the database preparation functions, preventing malicious URL usage in the editor, and enhancing file system security during unzipping operations.

The changes to wpdb::prepare() are particularly important as they align the function's behavior with its documentation and prevent potential SQL injection vectors. The release also improves security in the admin area by properly encoding plugin and template names.

For developers, the changes to wpdb::prepare() may require code review if you're using this function with non-standard placeholders or null values. The test infrastructure updates improve the development workflow but don't affect end users.

Content creators will benefit from improved shortcode previews in the TinyMCE editor and protection against potentially harmful URLs in the inline link dialog.

Overall, this is a maintenance release with a strong focus on security that all WordPress site owners should apply promptly.

Statistics:

File Changed17
Line Additions148
Line Deletions50
Line Changes198
Total Commits14

User Affected:

  • Enhanced security against malicious URLs and file paths
  • Improved protection when handling plugin and template names in admin areas
  • More secure database operations with hardened `wpdb::prepare()` function

Contributors:

johnbillionocean90aaroncampbell