WordPress Release: 4.3.21

TL;DR

WordPress 4.3.21 brings critical security fixes and developer improvements

This maintenance release addresses several important security vulnerabilities in WordPress 4.3, including protections against directory traversal attacks, HTTP API hex interpretation issues, and improper sanitization in the Customizer. It also adds developer convenience with .nvmrc files for easier Node.js version management when working with older WordPress branches. This update is essential for all WordPress 4.3 installations to maintain security and stability.

Highlight of the Release

• Multiple security fixes including protection against directory traversal attacks
• Improved HTTP API security with protection against hex interpretation
• Enhanced admin security with better referer nonce validation
• Added .nvmrc files to help developers work with older WordPress versions
• REST API improvements with proper Vary: Origin headers on GET requests

Migration Guide

No specific migration steps are required for this update. This is a maintenance and security release that should be applied directly to existing WordPress 4.3 installations.

To update:

1. Back up your WordPress site (files and database)
2. Update through the WordPress admin dashboard or download the update and install it manually
3. Verify your site functionality after the update

Note that WordPress 4.3 is an older version of WordPress, and if possible, users should consider upgrading to a more recent major version that receives regular updates and security patches.

Upgrade Recommendations

Immediate Update Strongly Recommended

This release contains critical security fixes that address multiple vulnerabilities in WordPress 4.3. All sites running WordPress 4.3.x should be updated to version 4.3.21 immediately.

While this update provides important security patches for WordPress 4.3, it's important to note that WordPress 4.3 is an older version that is no longer receiving regular updates. For optimal security and access to new features, we strongly recommend upgrading to the latest version of WordPress if your themes and plugins support it.

Update Priority: High - This is a security release that fixes several vulnerabilities.

Bug Fixes

Security-Related Bug Fixes

• Query Component: Removed the static query property to prevent potential security issues.

• HTTP API: Added protection against hex interpretation vulnerabilities that could be exploited in certain contexts.

• Filesystem API: Implemented safeguards to prevent directory traversal attacks when creating new folders, closing a potential security hole.

• Administration: Enhanced validation to ensure that admin referer nonces are properly verified, improving protection against CSRF attacks.

UI Bug Fixes

• Customizer: Improved sanitization of background images to prevent potential security issues.

New Features

Developer Experience Improvements

• Node Version Management: Added .nvmrc files to older WordPress versions, including 4.3, making it easier for developers to switch between branches while maintaining the correct Node.js version for each WordPress version.

REST API Enhancements

• Improved CORS Support: REST API now sends a Vary: Origin header on GET requests, ensuring proper cache behavior when handling cross-origin requests.

Security Updates

Critical Security Fixes

This release addresses several important security vulnerabilities:

• Directory Traversal Protection: Fixed a vulnerability in the Filesystem API that could allow attackers to traverse directories when creating new folders, potentially accessing sensitive files outside the intended directory structure.

• HTTP API Security: Added protection against hex interpretation in the HTTP API, preventing potential security exploits that could arise from malicious input being interpreted as hexadecimal values.

• Admin Authentication: Enhanced the validation of admin referer nonces to ensure they are valid, strengthening protection against cross-site request forgery (CSRF) attacks.

• Customizer Sanitization: Improved sanitization of background images in the Customizer to prevent potential XSS or other injection attacks.

• REST API Security: Added Vary: Origin header on GET requests to the REST API, ensuring proper cache behavior and preventing potential security issues related to cross-origin resource sharing.

Performance Improvements

No specific performance improvements were mentioned in this release. The focus appears to be on security fixes and developer experience enhancements rather than performance optimizations.

Impact Summary

WordPress 4.3.21 is primarily a security-focused release that addresses multiple vulnerabilities that could potentially be exploited in WordPress 4.3 installations. The security fixes span several core components including the Filesystem API, HTTP API, admin authentication, Customizer, and REST API.

For site administrators, this update is critical to maintain the security of WordPress 4.3 installations. The fixes for directory traversal attacks and improved nonce validation directly impact site security and should be applied immediately.

For developers, the addition of .nvmrc files provides a quality-of-life improvement when working with older WordPress branches, making it easier to ensure the correct Node.js environment is used. The removal of the static query property may require attention if any custom code relies on this feature.

API consumers will benefit from more consistent behavior with the REST API due to the addition of the Vary: Origin header on GET requests, which ensures proper cache behavior for cross-origin requests.

Overall, while this is a maintenance release for an older version of WordPress, it contains important security patches that should not be ignored by anyone still running WordPress 4.3.