WordPress Release: 4.3.25

TL;DR

WordPress 4.3.25 Release

WordPress 4.3.25 is a security and maintenance release that addresses several important security vulnerabilities and improves the overall stability of the platform. This update focuses on enhancing security across multiple components including XML-RPC, embeds, and meta handling, while also improving administrative screen options and error messaging. The release is particularly important for sites running WordPress 4.3.x as it patches security issues that could potentially be exploited.

Highlight of the Release

• Security improvements in XML-RPC, embeds, and meta handling
• Enhanced screen option filters in the admin area
• Improved error messages for unprivileged users
• Disabled embeds on deactivated Multisite sites
• Better protection for theme background image settings

Migration Guide

This is a security and maintenance release that doesn't require any specific migration steps. Simply update to WordPress 4.3.25 through your admin dashboard or via manual update.

If you're a developer who has implemented custom code that interacts with screen options, note that there's a new filter set_screen_option_{$option} that complements the existing set-screen-option filter. Both filters now use the parameter name $screen_option instead of $keep for improved clarity.

Upgrade Recommendations

Immediate upgrade recommended

This release contains several important security fixes that address vulnerabilities in WordPress 4.3.x. All users running WordPress 4.3.x are strongly encouraged to update to version 4.3.25 immediately to protect their sites from potential security threats.

While WordPress 4.3.x is no longer receiving regular updates, this security release demonstrates WordPress's commitment to patching critical security issues even in older versions. However, for the best security, performance, and features, users should consider upgrading to the latest major WordPress version.

Bug Fixes

• XML-RPC: Improved error messages for unprivileged users and fixed handling of incorrect attachment IDs
• Installation: Enhanced logic check when determining WordPress installation status
• Meta Handling: Fixed potential security issue by properly sanitizing meta keys before checking protection status
• Admin Screen Options: Resolved issues with screen option handling to ensure proper backward compatibility
• Theme Background Images: Fixed security vulnerability that could allow non-privileged users to set background images in themes using the deprecated custom background page

New Features

New Filter for Screen Options

A new filter set_screen_option_{$option} has been added to ensure backward compatibility when handling screen options in the admin area. This complements the existing set-screen-option filter, providing developers with more granular control over specific screen options.

Security Updates

• XML-RPC: Enhanced security by improving error messages that could potentially expose sensitive information to unprivileged users
• Embeds: Disabled embeds on deactivated Multisite sites to prevent potential security issues
• Meta Handling: Added proper sanitization of meta keys before checking protection status
• Escaping Functions: Modified to avoid potential false positives that could lead to security vulnerabilities
• Theme Background Images: Implemented proper permission checks to ensure only privileged users can set background images when a theme uses the deprecated custom background page
• External Libraries: Disabled deserialization in Requests_Utility_FilteredIterator to prevent potential object injection attacks

Performance Improvements

• External Libraries: Disabled deserialization in Requests_Utility_FilteredIterator to prevent potential performance and security issues
• Admin Interface: Optimized screen option handling for better performance

Impact Summary

WordPress 4.3.25 is primarily a security-focused release that addresses multiple vulnerabilities across different components of the CMS. The update improves security in XML-RPC handling, embeds functionality, meta key sanitization, and theme background image permissions. It also enhances the screen options API with better backward compatibility and clearer parameter naming.

The security improvements are particularly significant as they patch potential vulnerabilities that could be exploited to compromise site security. The XML-RPC improvements prevent information disclosure to unprivileged users, while the changes to embeds prevent potential issues on deactivated Multisite sites.

For developers, the addition of the set_screen_option_{$option} filter and the renaming of parameters for clarity provides better API consistency and documentation. While this is a maintenance release for an older branch of WordPress, the security fixes are critical for sites still running WordPress 4.3.x.