WordPress Release: 4.3.12

TL;DR

WordPress 4.3.12 is a security and maintenance release that addresses several important security vulnerabilities and includes various improvements to the testing infrastructure. This update focuses on hardening the database layer, preventing malicious URL injections, improving file handling security, and enhancing the admin interface protection against potential XSS attacks. The release contains critical security fixes that affect all WordPress installations, making it an essential upgrade for all site owners.

Highlight of the Release

• Multiple security hardening measures for the database layer
• Prevention of JavaScript and data URL injections in the editor
• Improved file handling security for uploads and unzipping operations
• Enhanced protection against XSS attacks in the admin interface
• Improved shortcode previews in the TinyMCE editor

Migration Guide

No specific migration steps are required for this update. As this is primarily a security release, the changes are designed to be backward compatible with existing WordPress installations.

However, developers should note that the wpdb::prepare() method now enforces stricter handling of placeholders and values. If you're using this method in custom plugins or themes, ensure your code follows the documented approach of using only supported placeholders (%s, %d, and %F) and properly escaping any literal percentage signs.

Upgrade Recommendations

Immediate upgrade strongly recommended for all WordPress installations.

This release contains critical security fixes that address multiple vulnerabilities. Site owners should update to WordPress 4.3.12 as soon as possible to protect their websites from potential security threats.

The security improvements in this release are significant enough to warrant prioritizing this update, even for sites that typically delay maintenance updates. The database hardening and protection against URL-based attacks are particularly important security enhancements.

Bug Fixes

Security and Bug Fixes

• Editor: Prevented adding javascript: and data: URLs through the inline link dialog, closing a potential security vulnerability
• Users: Added a fallback for incorrect HTTP referrers to improve reliability
• Filesystem API: Enhanced security by validating filenames before unzipping to prevent issues with malformed file paths
• Database: Fixed multiple issues in wpdb::prepare():
  • Prevented additional values from being processed when arrays are passed
  • Stopped triggering _doing_it_wrong() for null values
  • Improved escaping to properly handle percentage signs in queries
• Admin Interface: Added missing URL-encoding and extra hardening to plugin and template names when displayed in the admin area
• Users: Implemented correct escaping function for URLs to prevent potential security issues

New Features

No significant new features were added in this maintenance release. WordPress 4.3.12 focuses primarily on security fixes and infrastructure improvements.

Security Updates

• Database Hardening: Multiple security improvements to wpdb::prepare() to prevent SQL injection vulnerabilities:

  • Enforced stricter handling of placeholders (%s, %d, and %F)
  • Improved escaping of percentage signs in queries
  • Prevented processing of unexpected additional values

• URL Injection Prevention:

  • Blocked javascript: and data: URLs in the inline link dialog to prevent XSS attacks
  • Implemented proper URL escaping in user-related functions

• Admin Interface Protection:

  • Added URL-encoding and hardening to plugin and template names in admin displays
  • Improved escaping for URLs in user management screens

• File System Security:

  • Enhanced validation of filenames before unzipping to prevent directory traversal attacks
  • Added protection against malformed file paths that could potentially be exploited

Performance Improvements

This release does not contain any significant performance improvements. The focus was primarily on security enhancements and bug fixes rather than performance optimizations.

Impact Summary

WordPress 4.3.12 is primarily a security-focused release that addresses several important vulnerabilities. The most significant changes involve hardening the database layer through improvements to wpdb::prepare(), preventing malicious URL injections in the editor, enhancing file handling security, and improving protection against XSS attacks in the admin interface.

The database changes are particularly notable as they enforce stricter handling of placeholders and values in prepared SQL statements, which helps prevent SQL injection attacks. The editor improvements block potentially dangerous URL schemes that could be used for XSS attacks.

While this release doesn't introduce new features or significant performance improvements, the security enhancements are critical for maintaining the integrity and security of WordPress websites. Site administrators should prioritize this update to protect their sites from potential exploits targeting the vulnerabilities addressed in this release.