WordPress Release: 4.2.35

TL;DR

WordPress 4.2.35 is a maintenance and security release that addresses a critical CSRF vulnerability in media attachment thumbnails, updates GitHub Actions workflows, improves internationalization support for end-of-life notifications, and refactors HTTP redirect handling tests. This release is essential for all WordPress 4.2 users to maintain site security and ensure continued compatibility with development tools.

Highlight of the Release

• Fixed a critical CSRF vulnerability in media attachment thumbnails
• Added new translatable strings for end-of-life notifications
• Updated GitHub Actions workflows to address deprecated notices and improve reliability
• Refactored HTTP redirect handling tests to remove external dependencies

Migration Guide

No specific migration steps are required for this update. This is a standard maintenance and security release that can be applied through the normal WordPress update process.

As this is a security release, it is strongly recommended to update as soon as possible to protect your site from the fixed vulnerabilities.

Upgrade Recommendations

This release contains a critical security fix for a CSRF vulnerability in media attachment thumbnails. All WordPress 4.2 sites should update immediately to protect against this security issue.

The update process should be straightforward with no expected compatibility issues. As always, it's recommended to back up your site before performing any update.

Bug Fixes

Security and Bug Fixes

• Media: Fixed a CSRF vulnerability that could allow unauthorized setting of attachment thumbnails
• HTTP API: Refactored test for multiple location headers to remove external dependencies
  • Removed wordpress.org as an external dependency for testing WP_HTTP::handle_redirects()
  • Moved test from external-http group to http test group as it no longer makes HTTP requests

New Features

Internationalization Improvements

• Added new translatable strings in about.php specifically for end-of-life update notifications
• These strings will be used when releasing the final version of WordPress on a particular branch, improving the user experience for non-English speakers

Security Updates

Critical Security Fix

• Media Attachment Thumbnails: Fixed a Cross-Site Request Forgery (CSRF) vulnerability that could allow unauthorized setting of attachment thumbnails
• This security issue was identified and fixed with contributions from multiple WordPress security team members and contributors

Performance Improvements

Build and Test Infrastructure Improvements

• Updated GitHub Actions workflows to address deprecated notices related to save-output and set-output
• Added support for automatically retrying failed workflows once
• Removed workflow files not applicable to the branch
• Backported Docker environment related tooling updates for consistency across branches

Impact Summary

WordPress 4.2.35 is primarily a security and maintenance release that addresses a critical CSRF vulnerability in media attachment handling. This security fix is essential for all WordPress 4.2 sites.

The release also includes improvements to internationalization support for end-of-life notifications, which will provide a better experience for non-English users when a WordPress branch reaches its end of support.

For developers, the update to GitHub Actions workflows ensures continued functionality of CI/CD pipelines by addressing deprecated notices and improving workflow reliability. The refactoring of HTTP redirect handling tests removes external dependencies, making tests more reliable and faster.

While WordPress 4.2 is an older branch, this security update demonstrates WordPress's commitment to maintaining security even for older versions. However, users on this branch should consider upgrading to a more recent WordPress version for access to the latest features and security improvements.