WordPress Release: 4.4.22

TL;DR

WordPress 4.4.22 Release

WordPress 4.4.22 is a security and maintenance release that addresses several important issues. This update focuses on improving security, enhancing UTF-8 character support in filenames, fixing user activation key handling, and addressing query and cache API issues. The release also removes outdated tests and unused code to maintain a cleaner codebase.

This release is important for all WordPress 4.4.x users as it contains security fixes and improvements that enhance the overall stability and security of your WordPress installation. Site administrators should update their sites as soon as possible to ensure they're protected against potential vulnerabilities.

Highlight of the Release

• Security improvements for user activation keys
• Enhanced UTF-8 character support in filenames
• Fixed query handling for date/time based queries
• Improved cache API security with proper escaping

Migration Guide

No specific migration steps are required for this maintenance release. Simply update your WordPress installation to version 4.4.22 through your admin dashboard or via manual update.

If you're using custom code that interacts with user activation keys, the cache API stats method, or relies on specific behavior of date/time queries, you may want to test your functionality after updating to ensure compatibility.

Upgrade Recommendations

It is strongly recommended that all WordPress 4.4.x sites be updated to version 4.4.22 immediately due to the security fixes included in this release.

To update:

1. Back up your website files and database
2. Update through your WordPress admin dashboard (recommended)
3. Alternatively, download the update from WordPress.org and perform a manual update

Note that WordPress 4.4 is an older branch and users are encouraged to consider upgrading to the latest major version of WordPress for access to new features, improved security, and ongoing support.

Bug Fixes

Query and User Management Fixes

• Date/Time Query Fix: Resolved an issue where multiple posts could be returned on date/time based queries when only a single post should be returned.

• User Activation Key: Fixed a security issue by ensuring that user activation keys are properly invalidated when a password is updated, preventing potential unauthorized access.

Cache API Improvements

• Proper Escaping: Enhanced security in the cache API by ensuring proper escaping around the stats method, preventing potential SQL injection vulnerabilities.

New Features

Enhanced UTF-8 Character Support

The sanitize_file_name function has been expanded to provide better support for UTF-8 characters in filenames. This improvement allows users to upload files with non-Latin characters while maintaining security and compatibility across different systems.

Security Updates

Security Enhancements

• User Activation Key Invalidation: Fixed a security vulnerability by ensuring that user_activation_key values are properly invalidated when a user's password is updated. This prevents potential unauthorized access through stale activation keys.

• Cache API Escaping: Implemented proper escaping around the stats method in the cache API to prevent potential SQL injection attacks.

• Query Handling: Fixed a vulnerability in date/time based queries that could potentially return multiple posts when only a single post should be returned, which could lead to information disclosure or unexpected behavior.

Performance Improvements

Code Cleanup and Optimization

• Removed unused ::assertPostHasTerms() method from test files, as the associated test was previously removed.

• Removed external oEmbed tests for YouTube that no longer tested anything WordPress core has control over, streamlining the test suite.

These code cleanup efforts help maintain a leaner codebase and potentially improve performance by removing unnecessary code paths.

Impact Summary

WordPress 4.4.22 is primarily a security and maintenance release that addresses several important issues without introducing major new features. The most significant impacts are:

1. Security Improvements: The release fixes multiple security vulnerabilities, particularly around user activation keys and the cache API, making WordPress installations more secure against potential attacks.

2. International User Experience: The improved UTF-8 character support in filenames makes WordPress more accessible and user-friendly for international users who work with non-Latin characters.

3. Query Reliability: The fix for date/time based queries ensures more predictable and correct behavior when retrieving posts based on date criteria.

4. Code Health: Removal of outdated and unused test code contributes to a cleaner, more maintainable codebase.

While this is a maintenance release for an older branch of WordPress, the security fixes make it an essential update for any site still running WordPress 4.4.x. Site administrators should prioritize this update to ensure their sites remain secure.