WordPress Release: 4.5.11

TL;DR

WordPress 4.5.11 Release

This maintenance release addresses two important issues: restoring support for numbered placeholders in wpdb::prepare() and fixing test cases for PHPUnit compatibility. The database fix is particularly significant as it restores functionality that many plugins and themes relied on, despite being undocumented. This release ensures better backward compatibility while also improving security by adding extra checks for the correct number of arguments in database queries.

Highlight of the Release

• Restored support for numbered placeholders in wpdb::prepare() database queries
• Added extra validation to ensure the correct number of arguments in database queries
• Fixed test cases for PHPUnit compatibility

Migration Guide

No migration steps are required for this update. The changes restore previously available functionality and fix bugs without introducing breaking changes.

If you're a developer who was affected by the removal of numbered placeholders in wpdb::prepare(), your code should work again after updating to 4.5.11 without requiring modifications.

Upgrade Recommendations

This is a recommended update for all WordPress 4.5.x users, especially for sites running plugins or themes that might use numbered placeholders in database queries.

The update addresses compatibility issues that could affect site functionality and includes security improvements for database query handling. As this is a maintenance release, it focuses on fixes rather than new features, making it a low-risk update.

How to update: Use the automatic update feature in your WordPress dashboard or download the update from the WordPress.org website.

Bug Fixes

Database Query Fixes

• Restored numbered placeholders in wpdb::prepare(): Previous version 4.5.10 had removed support for numbered placeholders in database queries, which although undocumented, were widely used by developers. This release restores that functionality to maintain backward compatibility.

• Added validation for query arguments: Implemented extra checks to ensure the correct number of arguments are being passed to wpdb::prepare() based on the number of placeholders in the query, improving security and preventing potential errors.

Testing Framework Fixes

• Fixed PHPUnit compatibility issue: Corrected the $message argument passed to WP_UnitTestCase::setExpectedException() in Tests_Ajax_CompressionTest::test_logged_out() and Tests_Ajax_TagSearch::test_no_results(). This addresses an issue where PHPUnit 6.4.1 and earlier versions ignored the '0' value.

New Features

No new features were added in this maintenance release. This update focuses on bug fixes and compatibility improvements.

Security Updates

While not explicitly labeled as security fixes, the improvements to wpdb::prepare() include additional validation to ensure the correct number of arguments match the number of placeholders in database queries. This helps prevent potential SQL injection vulnerabilities that could arise from improperly formatted queries.

Performance Improvements

No specific performance improvements were included in this maintenance release. The focus was on fixing bugs and maintaining compatibility.

Impact Summary

WordPress 4.5.11 is a targeted maintenance release that addresses specific issues with database query handling and test compatibility. The most significant change is the restoration of support for numbered placeholders in wpdb::prepare(), which had been removed in a previous update despite being widely used by developers.

This release strikes a balance between security and compatibility by restoring the placeholder functionality while also adding improved validation to ensure queries are properly formatted with the correct number of arguments. This helps prevent potential SQL injection vulnerabilities while maintaining backward compatibility with existing plugins and themes.

For most end users, this update will be transparent, but for developers and site administrators, it resolves potential issues with plugins or themes that relied on the numbered placeholder functionality. The update is particularly important for maintaining the security and stability of WordPress 4.5.x installations.