WordPress Release: 4.3.31

TL;DR

WordPress 4.3.31 is a maintenance and security release that addresses a CSRF vulnerability in media attachment thumbnails, updates GitHub Actions workflows, adds new translation strings for end-of-life notices, and improves HTTP testing by removing external dependencies. This release focuses on maintaining the security and stability of the 4.3 branch while modernizing the development infrastructure.

Highlight of the Release

• Security fix for CSRF vulnerability in media attachment thumbnails
• Added new translation strings for end-of-life notifications
• Improved HTTP testing by removing external dependencies
• Modernized GitHub Actions workflows with automatic retries and deprecated notice fixes

Migration Guide

No specific migration steps are required for this maintenance release. As always, it's recommended to back up your site before updating.

Upgrade Recommendations

This release contains an important security fix, so it is strongly recommended that all WordPress sites running version 4.3.x update to version 4.3.31 as soon as possible.

Note that WordPress 4.3 is an older branch and is no longer receiving regular updates except for critical security fixes. For the best experience and security, users should consider upgrading to the latest version of WordPress.

Bug Fixes

HTTP API Improvements

The test for handling multiple location headers in HTTP redirects has been refactored to no longer depend on wordpress.org as an external dependency. The test now directly calls the WP_HTTP::handle_redirects() method with a mocked array of HTTP headers, making it more reliable and faster to execute. This test has been moved from the external-http group to the http test group.

New Features

New Translation Strings for End-of-Life Notifications

New translation strings have been added to about.php for use when releasing the final version of WordPress on the 4.3 branch. These strings will help communicate important end-of-life information to users in their preferred language.

Security Updates

Media: CSRF Vulnerability Fix

This release addresses a Cross-Site Request Forgery (CSRF) vulnerability related to setting attachment thumbnails. The fix prevents unauthorized users from manipulating media attachment thumbnails through CSRF attacks, enhancing the security of WordPress media management.

Performance Improvements

GitHub Actions Workflow Improvements

Multiple improvements to GitHub Actions workflows have been backported to ensure consistent and reliable CI/CD processes:

• Fixed deprecated notices related to save-output and set-output
• Added support for automatically retrying failed workflows once
• Removed workflow files not applicable to the 4.3 branch
• Updated Docker environment related tooling for consistency across branches

These changes help maintain a stable development infrastructure for the 4.3 branch.

Impact Summary

WordPress 4.3.31 is primarily a security and maintenance release that addresses a CSRF vulnerability in media attachment thumbnails. While this is an older branch of WordPress, this update is important for sites that haven't yet upgraded to newer major versions.

The release also includes several improvements to the development infrastructure, particularly in GitHub Actions workflows, which helps maintain a stable environment for ongoing maintenance of the 4.3 branch. The addition of end-of-life notification strings suggests that WordPress is preparing for the eventual end of support for this branch.

For users still on WordPress 4.3, this update is essential to maintain security. However, the WordPress team continues to recommend upgrading to the latest version for the most comprehensive security protection and feature improvements.