WordPress Release: 4.3.18

TL;DR

WordPress 4.3.18 is a security and maintenance release that addresses several important security vulnerabilities and improves the platform's stability. This update focuses on enhancing MIME file type verification, improving KSES security handling, fixing multisite activation issues, and preventing unwanted field manipulation during post saving.

This release is critical for all WordPress site owners as it patches security vulnerabilities that could potentially be exploited. The changes primarily affect security aspects of the platform, with particular attention to input sanitization and validation.

Highlight of the Release

• Improved security for file uploads with enhanced MIME type verification
• Better protection against XSS attacks through KSES improvements
• Enhanced multisite activation process with improved validation and messaging
• Prevention of unwanted field manipulation during post saving

Migration Guide

No specific migration steps are required for this update. This is a security and maintenance release that should be applied as soon as possible.

If you have custom code that relies on the <form> element being in $allowedposttags, you should verify that your code continues to work as expected after the update. The update includes backward compatibility measures that should prevent issues in most cases.

Upgrade Recommendations

Immediate Upgrade Recommended

This release contains several important security fixes that address potential vulnerabilities in WordPress. All WordPress site owners should update to version 4.3.18 immediately to ensure their sites remain secure.

The update process should be straightforward with no expected compatibility issues. As with any update, it's recommended to:

1. Back up your website before updating
2. Test the update on a staging environment if possible
3. Update all sites as soon as possible to mitigate security risks

Bug Fixes

Multisite Activation Improvements

• Fixed an issue where users could attempt to activate a site multiple times
• Improved messaging when users follow an activation link that has already been used
• Enhanced validation of activation links for better security

KSES Form Element Handling

• Conditionally removed the <form> element from $allowedposttags
• Added logic to re-add <form> if custom filters have added <input> or <select> elements to maintain backward compatibility

Post Saving Security

• Removed the ability to update meta_input, file, and guid fields through user input during post saving, as these fields are not intended to be updated this way

New Features

New KSES URI Attributes Function

A new wp_kses_uri_attributes function has been introduced to centralize the list of URI attributes. This makes the code more maintainable by following the DRY (Don't Repeat Yourself) principle and helps prevent inconsistencies in how URI attributes are handled across the platform.

Additionally, a new filter wp_kses_uri_attributes provides developers with a way to customize these attributes as needed.

Security Updates

Media File Type Verification

Improved verification of MIME file types to prevent potential security vulnerabilities related to file uploads.

KSES Security Enhancements

• Conditionally removed the <form> element from allowed post tags to prevent potential XSS vulnerabilities
• Made URI attributes handling more consistent and secure through the new wp_kses_uri_attributes function
• Improved sanitization of URI attributes across the platform

Post Editor Security

Removed the ability to update sensitive fields (meta_input, file, and guid) through user input during post saving, preventing potential security issues where these fields could be manipulated.

Performance Improvements

No specific performance improvements were included in this release. The changes were primarily focused on security enhancements and bug fixes.

Impact Summary

WordPress 4.3.18 is primarily a security-focused release that addresses several potential vulnerabilities and improves the platform's overall security posture. The changes focus on three main areas:

1. Media handling: Improved verification of MIME file types to prevent security issues with file uploads.

2. KSES security: Enhanced handling of allowed HTML tags and attributes, particularly around form elements and URI attributes, to prevent potential XSS vulnerabilities.

3. Multisite improvements: Better validation and messaging for site activation to prevent confusion and potential security issues.

4. Post editor security: Prevention of unwanted field manipulation during post saving.

These changes are largely under-the-hood improvements that enhance security without changing the user experience. The release demonstrates WordPress's ongoing commitment to security and maintaining a stable platform for its users.