WordPress Release: 4.3.20

TL;DR

WordPress 4.3.20 Release

WordPress 4.3.20 is a security and maintenance release that addresses several important security vulnerabilities. This update focuses on improving URL validation, sanitization, and output escaping to enhance the overall security posture of WordPress sites. The release includes fixes for potential security issues in URL handling, content processing, and attachment uploads. Site administrators are strongly encouraged to update immediately to protect their websites from these security vulnerabilities.

Highlight of the Release

• Enhanced URL validation in wp_validate_redirect() to prevent potential security issues
• Improved URL sanitization in wp_kses_bad_protocol_once() to address security vulnerabilities
• Fixed security issues in the attachment upload system through wp_ajax_upload_attachment()
• Removed _convert_urlencoded_to_entities() from the get_the_content() callback for better security
• Updated build and test tools with improved npm dependency caching strategy on Travis CI

Migration Guide

No specific migration steps are required when updating to WordPress 4.3.20. This is a security release that maintains backward compatibility with previous 4.3.x versions.

To update:

1. Back up your website files and database before updating
2. Update through the WordPress admin dashboard or download the update from wordpress.org
3. If you're using a manual update method:
   • Download WordPress 4.3.20
   • Replace your existing WordPress files with the new version
   • Visit your site's /wp-admin/ or /wp-admin/upgrade.php to complete the update if necessary

No database schema changes are included in this release, so the update process should be quick and straightforward.

Upgrade Recommendations

Immediate upgrade strongly recommended

WordPress 4.3.20 addresses several important security vulnerabilities that could potentially be exploited on unpatched sites. All WordPress site administrators running version 4.3.19 or earlier should update to version 4.3.20 immediately.

This is a security release, and the protection it provides for your site outweighs any potential risks of updating. The security fixes included address vulnerabilities in URL validation, sanitization, and output escaping that could be exploited by malicious actors.

For sites still running on the 4.3.x branch, this update is critical. However, for long-term security and to benefit from the latest features and improvements, consider updating to the latest major WordPress version when possible.

Bug Fixes

Security Bug Fixes

• URL Validation: Improved URL validation in wp_validate_redirect() to prevent potential security issues with malformed URLs.
• URL Sanitization: Fixed URL sanitization in wp_kses_bad_protocol_once() to address security vulnerabilities related to protocol handling.
• Attachment Upload: Added proper output escaping in wp_ajax_upload_attachment() to prevent potential XSS vulnerabilities.
• Content Processing: Removed _convert_urlencoded_to_entities() from the get_the_content() callback to address potential security issues in content processing.

Build System Fixes

• Fixed issues with PHP 5.2 builds by changing the npm dependency caching strategy on Travis CI for the 4.3 branch.

New Features

No new features were introduced in this release. WordPress 4.3.20 is primarily a security and maintenance release focused on addressing security vulnerabilities and improving existing functionality.

Security Updates

• URL Validation Enhancement: Improved URL validation in wp_validate_redirect() to prevent potential security issues that could allow malicious redirects.

• URL Sanitization Fix: Enhanced URL sanitization in wp_kses_bad_protocol_once() to address vulnerabilities related to protocol handling that could potentially be exploited.

• Attachment Upload Security: Added proper output escaping in wp_ajax_upload_attachment() to prevent potential XSS (Cross-Site Scripting) vulnerabilities during file uploads.

• Content Processing Security: Removed _convert_urlencoded_to_entities() from the get_the_content() callback to address potential security issues in content processing that could lead to unexpected behavior or vulnerabilities.

These security fixes address important vulnerabilities that could potentially be exploited by malicious actors. Site administrators should update to WordPress 4.3.20 immediately to protect their websites.

Performance Improvements

This release does not contain any significant performance improvements. The changes are primarily focused on security enhancements and bug fixes rather than performance optimizations.

Impact Summary

WordPress 4.3.20 is a security-focused maintenance release that addresses several important vulnerabilities related to URL handling, content processing, and attachment uploads. The primary impact of this release is enhanced security for WordPress sites through improved validation and sanitization of user inputs and outputs.

The security fixes in this release address potential vulnerabilities that could allow malicious actors to perform attacks such as XSS (Cross-Site Scripting) or malicious redirects. By updating to WordPress 4.3.20, site administrators significantly reduce these security risks.

While this release doesn't introduce new features or performance improvements, the security enhancements are critical for maintaining the integrity and security of WordPress websites. The changes are focused on core WordPress functions that handle URLs, content processing, and file uploads - all areas where security is paramount.

For developers, the changes to URL handling functions and content processing may require review of custom code that interacts with these components, though backward compatibility is maintained. The removal of _convert_urlencoded_to_entities() from the get_the_content() callback represents an important security improvement in how WordPress processes content.

Overall, this release demonstrates WordPress's ongoing commitment to security and the importance of keeping installations updated to protect against emerging threats.