WordPress Release: 4.3.30

TL;DR

WordPress 4.3.30 Security Release

This maintenance release includes multiple security fixes for WordPress 4.3. It introduces strings to indicate security support status for future use and backports several security patches from newer WordPress versions. This release is part of WordPress's ongoing commitment to maintain older branches with critical security updates, even as they approach end-of-life status.

Highlight of the Release

• Introduction of strings to indicate security support status for future use
• Multiple security fixes backported from newer WordPress versions
• Improved KSES filtering applied to post-by-email content, trackbacks, and comments
• Enhanced validation for various WordPress components
• Security improvements to PHPMailer property handling

Migration Guide

No specific migration steps are required for this security update. Site administrators should update to WordPress 4.3.30 as soon as possible to ensure their sites are protected against the security vulnerabilities addressed in this release.

However, site administrators should be aware that the WordPress 4.3.x branch is approaching end-of-life status for security support. Planning for an upgrade to a more recent WordPress version is strongly recommended.

Upgrade Recommendations

This is a security release that addresses multiple vulnerabilities in WordPress 4.3. All WordPress 4.3 sites are strongly encouraged to update immediately.

While this update provides important security fixes, it's important to note that WordPress 4.3 is an older branch that is approaching end-of-life for security support. Site administrators should plan to upgrade to a more recent WordPress version as soon as feasible.

For sites unable to upgrade to newer major versions immediately, applying this security update is essential to maintain the best possible security posture in the interim.

Bug Fixes

Security Fixes

• Posts/Post Types:

  • Applied KSES filtering to post-by-email content for improved security
  • Removed emails from post-by-email logs to protect user privacy

• Comments and Trackbacks:

  • Applied KSES filtering to all trackbacks
  • Enhanced security when editing comments with proper KSES application

• General Security Improvements:

  • Added host validation on the "Are you sure?" screen
  • Escaped blogname option in underscores templates in the Customizer
  • Reset PHPMailer properties between uses to prevent information leakage
  • Added validation for relation parameter in WP_Date_Query
  • Escaped RSS error messages for display in widgets

New Features

New Support Status Indicators

Added strings to indicate the security support status of WordPress versions. These strings will be used in future maintenance/security releases to:

• Indicate when a WordPress version is no longer receiving security updates
• Warn users when a WordPress version will shortly stop receiving security updates

This change makes these strings available to translators in preparation for future use when dropping support for selected WordPress versions.

Security Updates

Critical Security Fixes

This release includes multiple security enhancements backported from newer WordPress versions:

1. Content Filtering Improvements:

   • Enhanced KSES filtering for post-by-email content to prevent potential XSS vulnerabilities
   • Applied proper KSES filtering to trackbacks to prevent malicious content injection
   • Improved comment editing security with proper content filtering

2. Input Validation:

   • Added host validation on confirmation screens
   • Implemented validation for query parameters in WP_Date_Query
   • Enhanced security of the Customizer by properly escaping the blogname option

3. Data Protection:

   • Removed email addresses from post-by-email logs to protect user privacy
   • Reset PHPMailer properties between uses to prevent potential information disclosure

4. Output Escaping:

   • Properly escaped RSS error messages in widgets to prevent potential XSS vulnerabilities

Performance Improvements

No specific performance improvements were mentioned in this security-focused release.

Impact Summary

WordPress 4.3.30 is primarily a security maintenance release that backports multiple security fixes from newer WordPress versions to the 4.3 branch. It introduces strings for indicating security support status (to be used in future releases) and fixes several security vulnerabilities related to content filtering, input validation, and data protection.

The security improvements span multiple WordPress components including post-by-email functionality, trackbacks, comments, the Customizer, PHPMailer handling, query validation, and widget output. These changes strengthen WordPress 4.3's security posture while maintaining compatibility with existing sites.

This release is particularly important for sites still running WordPress 4.3, as it addresses security vulnerabilities that could otherwise be exploited. However, site administrators should be aware that the 4.3.x branch is approaching end-of-life for security support and should plan to upgrade to a more recent WordPress version.