WordPress Release: 4.2.26

TL;DR

WordPress 4.2.26 is a security-focused maintenance release that patches a vulnerability in the wp_kses_bad_protocol() function. This update prevents attackers from bypassing security protocols by using the HTML5 named entity : in URI attributes. This is a critical security fix that protects WordPress sites from potential XSS attacks and other injection vulnerabilities.

Highlight of the Release

• Fixed a security vulnerability in wp_kses_bad_protocol() that could allow bypassing security checks
• Improved URI attribute validation to recognize and handle the HTML5 named entity :
• Enhanced protection against XSS attacks through malicious URI attributes

Migration Guide

No migration steps are required for this update. This is a direct security patch that doesn't change any APIs or user-facing functionality. Simply update to WordPress 4.2.26 to apply the security fix.

Upgrade Recommendations

Immediate Upgrade Recommended

All WordPress site administrators running version 4.2.25 or earlier in the 4.2.x branch should update to version 4.2.26 immediately. This is a security release that patches a vulnerability that could potentially be exploited to bypass content filtering mechanisms.

The update process should be straightforward with no expected compatibility issues:

1. Back up your WordPress site (files and database)
2. Update through the WordPress admin dashboard or via your preferred method
3. Verify your site functions normally after the update

Note that WordPress 4.2.x is an older branch, and if possible, upgrading to the latest major WordPress version is recommended for access to all security updates and features.

Bug Fixes

Security Bug Fix

Fixed a vulnerability in the wp_kses_bad_protocol() function that could allow attackers to bypass security validations by using the HTML5 named entity : in URI attributes. This function is responsible for validating that URI attributes don't contain invalid or disallowed protocols, and this fix ensures that the : entity is properly recognized and handled during validation.

New Features

No new features were added in this release. WordPress 4.2.26 is strictly a security maintenance release focused on patching a vulnerability in the wp_kses_bad_protocol() function.

Security Updates

Critical Security Fix

This release patches a vulnerability in the wp_kses_bad_protocol() function that could allow attackers to bypass security validations when using the HTML5 named entity : in URI attributes.

The vulnerability could potentially be exploited to perform XSS (Cross-Site Scripting) attacks or other injection vulnerabilities by bypassing WordPress's content filtering mechanisms. By properly recognizing and handling the : entity, WordPress now prevents this bypass method, ensuring that all URI protocols are properly validated regardless of how they're encoded.

Props to xknown, nickdaugherty, and peterwilsoncc for identifying and fixing this security issue.

Performance Improvements

No specific performance improvements were included in this release. The focus was solely on addressing the security vulnerability in the wp_kses_bad_protocol() function.

Impact Summary

WordPress 4.2.26 addresses a specific security vulnerability in the wp_kses_bad_protocol() function that could allow attackers to bypass security validations when using the HTML5 named entity : in URI attributes. This is a targeted security fix that strengthens WordPress's content filtering system without changing any user-facing functionality.

The impact is primarily security-related, protecting sites from potential XSS attacks that could exploit this vulnerability. The fix ensures that all URI protocols are properly validated regardless of encoding methods used, closing a potential security loophole.

This update is particularly important for sites that allow users to submit content containing HTML with URI attributes, as it prevents malicious users from bypassing security checks through this specific encoding technique.