WordPress Release: 4.2.22

TL;DR

WordPress 4.2.22 is a security and maintenance release that addresses several important security vulnerabilities and improves functionality in multisite installations. This update focuses on enhancing MIME type verification, improving KSES security filtering, validating multisite activation links, and preventing unwanted fields from being saved in posts.

This release is critical for all WordPress 4.2 installations as it patches multiple security issues that could potentially be exploited. Site administrators should update immediately to protect their websites from these vulnerabilities.

Highlight of the Release

• Enhanced security for MIME file type verification in media uploads
• Improved KSES filtering with conditional removal of the <form> element from allowed post tags
• Better multisite user activation flow with improved messaging and validation
• Introduction of wp_kses_uri_attributes function and filter for more consistent security filtering
• Prevention of unwanted fields being saved in posts through the editor

Migration Guide

This is a security and maintenance release that doesn't require specific migration steps. Simply update your WordPress installation to version 4.2.22 through your admin dashboard or via manual update.

If you've implemented custom code that interacts with KSES filtering, particularly around form elements or URI attributes, you may want to review your code to ensure compatibility with the new wp_kses_uri_attributes function and the conditional handling of the <form> element in $allowedposttags.

Upgrade Recommendations

Immediate upgrade strongly recommended for all WordPress 4.2 installations.

This release contains several important security fixes that address vulnerabilities in media handling, content filtering, and post saving. All WordPress site administrators should update to version 4.2.22 as soon as possible to protect their sites from potential security exploits.

Note that WordPress 4.2 is an older branch and is no longer receiving regular updates. For the best security and features, consider upgrading to the latest major version of WordPress if possible.

Bug Fixes

• KSES Filtering Improvements: Conditionally removed the <form> element from $allowedposttags while maintaining backward compatibility by re-adding it if custom filters have added <input> or <select> elements.

• Multisite Activation Flow: Fixed issues with multiple activation attempts in multisite installations, ensuring users receive appropriate messaging when attempting to activate a previously activated account.

• Post Editor Security: Addressed an issue where unwanted fields (meta_input, file, and guid) could potentially be saved through user input in the post editor.

New Features

and Enhancements

• Improved KSES URI Attributes Handling: Introduction of the wp_kses_uri_attributes function and filter, which centralizes the list of URI attributes to prevent inconsistency and provides a way for plugins to customize these attributes.

• Enhanced Multisite User Experience: Improved messaging for previously activated users in multisite installations, ensuring activation is not attempted multiple times and users see the correct message when following activation links more than once.

• Better Multisite Activation Link Validation: Added validation for multisite activation links to enhance security and prevent potential issues.

Security Updates

• Enhanced MIME File Type Verification: Improved the verification process for MIME file types in media uploads, reducing the risk of malicious file uploads.

• KSES Security Enhancements: Multiple improvements to the KSES HTML filtering system, including better handling of form elements and URI attributes, helping to prevent potential XSS vulnerabilities.

• Multisite Activation Link Validation: Added validation for activation links in multisite installations to prevent potential security issues related to user activation.

• Prevention of Unwanted Field Saving: Blocked the ability to update meta_input, file, and guid fields through user input in the post editor, preventing potential security exploits.

Performance Improvements

• DRY Implementation for KSES URI Attributes: The new centralized approach for URI attributes in KSES filtering improves code maintainability and consistency across the platform.

• Optimized Validation Processes: Improved validation mechanisms for multisite activation links and MIME file types contribute to more efficient processing of these operations.

Impact Summary

WordPress 4.2.22 is primarily a security-focused release that addresses several vulnerabilities and improves the overall security posture of WordPress 4.2 installations. The changes to MIME file type verification and KSES filtering help protect sites from potential security exploits, while the improvements to multisite activation enhance user experience and security in network installations.

The introduction of the wp_kses_uri_attributes function represents a significant improvement in code organization and maintainability, making the handling of URI attributes more consistent across the platform and providing developers with a new filter to customize this behavior.

For site administrators, this update is critical as it patches multiple security vulnerabilities. The changes are focused on backend security improvements and should not affect the front-end appearance or functionality of WordPress sites, making this a low-risk but high-importance update.