WordPress Release: 4.3.29

TL;DR

WordPress 4.3.29 Security Release

This maintenance release focuses on security improvements for WordPress 4.3. It includes several important security fixes that address output escaping vulnerabilities and improves the security of bookmark queries. Additionally, the release updates GitHub Actions workflows to enhance the development infrastructure, particularly around Slack notifications.

Highlight of the Release

• Security fixes for output escaping in the_meta() function
• Improved validation of bookmark query limits
• Enhanced error message escaping in plugin functionality
• Updated GitHub Actions workflows for better development infrastructure

Migration Guide

No migration steps are required for this release. WordPress 4.3.29 is a security maintenance release that should be a seamless update from WordPress 4.3.28.

Upgrade Recommendations

It is strongly recommended that all WordPress sites running version 4.3.x update to version 4.3.29 immediately to address the security vulnerabilities fixed in this release.

While WordPress 4.3 is an older version that has reached its end of official support, this security release has been provided as a courtesy for sites that have not yet upgraded to more recent WordPress versions.

For optimal security and features, site administrators should consider upgrading to the latest supported WordPress version.

Bug Fixes

Security Bug Fixes

• Posts & Post Types: Fixed output escaping vulnerability within the the_meta() function to prevent potential XSS attacks.
• General: Added validation to ensure bookmark query limits are numeric, preventing potential SQL injection.
• Plugins: Improved escaping of output in plugin error messages to prevent potential XSS vulnerabilities.

New Features

No new features were added in this release. WordPress 4.3.29 is a security maintenance release focused on fixing vulnerabilities and improving the development infrastructure.

Security Updates

Security Improvements

This release addresses several security vulnerabilities:

• XSS Prevention: Fixed output escaping in the the_meta() function to prevent cross-site scripting attacks.
• SQL Injection Prevention: Added validation to ensure bookmark query limits are numeric values.
• Plugin Security: Enhanced escaping of output in plugin error messages to prevent potential XSS vulnerabilities.

These security fixes were contributed by tykoted, martinkrcho, xknown, dd32, peterwilsoncc, paulkevan, and timothyblynjacobs.

Performance Improvements

No specific performance improvements were included in this release. The focus was on security fixes and development infrastructure updates.

Impact Summary

WordPress 4.3.29 is a security-focused maintenance release that addresses several vulnerabilities related to output escaping and input validation. The fixes prevent potential cross-site scripting (XSS) attacks in the the_meta() function and plugin error messages, as well as potential SQL injection through bookmark query parameters.

This release is part of WordPress's commitment to maintaining security for older versions, even though WordPress 4.3 is beyond its official support period. The security fixes are provided as a courtesy to sites that have not yet upgraded to more recent WordPress versions.

The development infrastructure improvements included in this release do not affect the functionality of WordPress sites but enhance the development workflow for WordPress core contributors through updated GitHub Actions workflows, particularly for Slack notifications.

Site administrators should update to this version immediately to protect their sites from the addressed security vulnerabilities.