WordPress Release: 4.3.1

TL;DR

WordPress 4.3.1 is a security and maintenance release addressing multiple bugs and security vulnerabilities from the 4.3 release. This update fixes critical issues with term splitting, password management, customizer functionality, and shortcode security. It also includes improvements to the SSH2 filesystem handler and TinyMCE editor. All WordPress users are strongly encouraged to update immediately to maintain site security and stability.

Highlight of the Release

• Fixed critical security vulnerabilities in shortcode handling and list tables
• Resolved issues with password management and generation
• Fixed term splitting functionality and cron scheduling
• Improved Customizer UI and functionality
• Updated TinyMCE to version 4.2.5
• Fixed SSH2 filesystem handler to prevent update failures

Migration Guide

Upgrading to WordPress 4.3.1

This is a security and maintenance release that is compatible with existing WordPress 4.3 installations. No special migration steps are required for most users.

For Developers

If you have custom code that extends or overrides wp_new_user_notification(), be aware that the second parameter $plaintext_pass was removed in an earlier update and restored as $notify with different behavior. In 4.3.1, this parameter is deprecated and reintroduced as the third parameter for backward compatibility.

The correct function signature is now:

wp_new_user_notification( $user_id, $deprecated = '', $notify = '' )

If your code passes a second parameter to this function, you should update it to use the third parameter position instead to avoid potential issues with user notifications.

Upgrade Recommendations

Immediate upgrade strongly recommended for all WordPress users.

WordPress 4.3.1 contains critical security fixes that protect your site from potential vulnerabilities. The release also addresses several bugs that may affect site functionality.

How to Update:

1. Back up your website files and database before updating
2. Update through your WordPress dashboard by going to Dashboard > Updates
3. Alternatively, download the update from WordPress.org and perform a manual update

If you're still running WordPress 4.2.x or earlier, it's highly recommended to update directly to 4.3.1 to ensure your site has all the latest security patches and bug fixes.

Bug Fixes

Term Splitting

• Fixed a parameter reversal in wp_schedule_single_event() that affected term splitting functionality
• Implemented a faster cron unschedule process for sites with thousands of affected jobs
• Fixed the cron hook name in the failsafe rescheduler

Customizer

• Fixed logic for determining container elements when focusing on panels, sections, or controls
• Ensured persistence of unchanged active state for controls, sections, and panels
• Fixed panel/section expansion behavior to collapse any expanded panels/sections before expanding others
• Prevented JavaScript errors during initialization when the nav_menus panel is removed by a plugin

Password Management

• Fixed unintended password changes after clicking "Generate Password" and then "Cancel" when editing user profiles
• Improved password field refresh when content is pasted into fields
• Fixed label reassignment when switching password fields
• Added proper error icon placement and error class removal for password fields
• Implemented event triggering for password field validation

Other Fixes

• Fixed widget instance existence check by reverting to array_key_exists() instead of isset()
• Removed problematic SSH2 handler support for is_writable() that caused update failures
• Fixed category dropdown selection issues by properly casting values to strings
• Ensured comments are closed by default on the "Sample Page" created during installation
• Fixed count_user_posts() to properly pass the $public_only value to the 'get_usernumposts' filter
• Fixed WPDB get_table_from_query() to correctly find table names with hyphens
• Fixed line break placeholder removal from HTML comments in wpautop()
• Fixed TinyMCE plugin loading order to ensure the WordPress plugin is loaded before calling _createToolbar()
• Fixed global variable import for $wp_hasher in wp_new_user_notification()
• Improved Site Icon preview to fall back to full size URL when thumbnail size doesn't exist
• Fixed multisite user deletion content attribution dropdown display
• Fixed comment inline edit/reply functionality on small screens

New Features

No significant new features were introduced in this maintenance release. WordPress 4.3.1 focuses on fixing bugs and security issues present in the 4.3 release.

Security Updates

Critical Security Fixes

• Shortcode Security: Fixed a vulnerability that allowed unclosed HTML elements in shortcode attributes, which could potentially be exploited for cross-site scripting (XSS) attacks

• List Table Security: Implemented proper escaping for user emails in list tables to prevent potential XSS vulnerabilities

• XML-RPC Security: Added protection to prevent private posts from being made sticky through XML-RPC calls

• Password Management: Fixed several issues with password handling and generation that could potentially lead to security vulnerabilities

These security fixes address important vulnerabilities that could be exploited by malicious actors. All WordPress users should update to 4.3.1 immediately to protect their sites.

Performance Improvements

Term Splitting Performance

• Implemented a faster cron unschedule process for sites with thousands of affected jobs, significantly improving performance for large sites with many term splitting operations

Customizer Improvements

• Optimized panel/section expansion behavior by ensuring only one panel/section is expanded at a time, reducing unnecessary DOM operations

Other Performance Enhancements

• Fixed SSH2 filesystem handler to skip unnecessary write tests during updates, improving update performance for sites using SFTP connections

Impact Summary

WordPress 4.3.1 is primarily a security and maintenance release that addresses multiple vulnerabilities and bugs present in WordPress 4.3. The most significant impact is on security, with fixes for shortcode handling, list table email escaping, and XML-RPC functionality.

For site administrators, this update resolves critical issues with password management and SSH2 filesystem handling that previously caused update failures. Content creators will benefit from fixes to the TinyMCE editor and improved comment functionality on small screens.

Developers should note the changes to term splitting functionality, cron scheduling, and the deprecated parameter in wp_new_user_notification(). The update also improves the Customizer experience with better panel/section handling and fixes for various UI issues.

Overall, this release significantly improves the stability, security, and user experience of WordPress 4.3 without introducing breaking changes. The security improvements alone make this an essential update for all WordPress users.