WordPress Release: 4.4.33

TL;DR

WordPress 4.4.33 is a maintenance and security release that addresses a path traversal vulnerability in the Template-Part Block on Windows systems and improves test reliability by using WordPress.org CDN images for external HTTP tests. This release is important for WordPress 4.4 branch users, particularly those running on Windows servers, as it patches a security vulnerability that could potentially be exploited.

Highlight of the Release

• Fixed a path traversal security vulnerability in the Template-Part Block on Windows systems
• Improved test reliability by using WordPress.org CDN images for external HTTP tests
• Addressed issues with image size variations in tests across different platforms

Migration Guide

No migration steps are required for this update. This is a standard maintenance and security release that can be applied through the normal WordPress update process without any special considerations.

Upgrade Recommendations

It is strongly recommended that all WordPress sites running version 4.4 update to version 4.4.33 immediately, especially those hosted on Windows servers. This release contains an important security fix for a path traversal vulnerability that could be exploited on Windows systems.

You can update through your WordPress dashboard or download the update directly from WordPress.org.

Bug Fixes

Test Reliability Improvements

Fixed issues with external HTTP tests by switching to use images from the WordPress.org CDN. This addresses inconsistencies that were occurring due to WP.com's on-the-fly image compression, which resulted in different image sizes being returned across various platforms. This change makes the affected tests more reliable and consistent across different environments.

New Features

No new features were added in this maintenance and security release. WordPress 4.4.33 focuses on security improvements and test reliability.

Security Updates

Path Traversal Vulnerability Fix

Fixed a path traversal vulnerability in the Template-Part Block when running WordPress on Windows systems. This security issue could potentially allow attackers to access files outside of the intended directory structure on Windows-based servers. The fix prevents unauthorized file system access through the Template-Part Block, enhancing the security of WordPress installations on Windows platforms.

Performance Improvements

No specific performance improvements were included in this release. WordPress 4.4.33 primarily focuses on security fixes and test reliability enhancements.

Impact Summary

WordPress 4.4.33 is a targeted security and maintenance release that addresses a specific path traversal vulnerability affecting Windows-based WordPress installations and improves test reliability. While the changes are minimal in scope, the security fix is significant for Windows server users. The test improvements ensure more consistent behavior across different platforms by using WordPress.org CDN images instead of relying on WP.com's dynamically compressed images. This release demonstrates WordPress's ongoing commitment to maintaining security and stability in older branches of the software.