WordPress Release: 4.5.12

TL;DR

WordPress 4.5.12 is a security and maintenance release that addresses several important security vulnerabilities and fixes PHP notices. This update includes multiple hardening measures to prevent potential security exploits, including improved escaping of language attributes, proper handling of enclosures in feeds, restrictions on JavaScript file uploads, and better hash generation for new blog users. It also fixes issues with the AUTH_SALT constant handling to prevent PHP notices.

Highlight of the Release

• Multiple security hardening measures to prevent potential exploits
• Fixed PHP notices when AUTH_SALT is undefined
• Improved hash generation for new blog users
• Enhanced escaping for language attributes and feed enclosures
• Restricted JavaScript file uploads for users without unfiltered_html capability

Migration Guide

No specific migration steps are required for this update. This is a standard security and maintenance release that should be applied as soon as possible to ensure your WordPress installation is protected against the security vulnerabilities addressed.

Upgrade Recommendations

It is strongly recommended that all WordPress 4.5 sites be updated to version 4.5.12 immediately. This release contains important security hardening measures that protect your site from potential vulnerabilities.

If you're running an older version of WordPress, it's recommended to upgrade to the latest version (beyond 4.5.12) as the 4.5 branch is no longer receiving regular updates and may contain other security vulnerabilities.

Bug Fixes

• Fixed PHP notice that occurred when AUTH_SALT was undefined
• Added check to ensure AUTH_SALT is not empty to prevent potential issues
• Removed version number from the readme file in the 4.5 branch

New Features

No new features were added in this release. WordPress 4.5.12 is primarily a security and maintenance release focused on addressing security vulnerabilities and fixing bugs.

Security Updates

• Improved Hash Generation: Replaced deterministic substring with properly generated hash for the newbloguser key, enhancing security for new blog user creation
• Enhanced HTML Language Attributes: Added proper escaping to language attributes used on html elements to prevent potential XSS vulnerabilities
• Secured Feed Enclosures: Ensured attributes of enclosures are correctly escaped in RSS and Atom feeds to prevent potential injection attacks
• JavaScript Upload Restrictions: Removed the ability for users without the unfiltered_html capability to upload JavaScript files, preventing potential security risks

Performance Improvements

No specific performance improvements were included in this release. The focus was on security hardening and bug fixes.

Impact Summary

WordPress 4.5.12 is primarily a security-focused release that addresses several potential vulnerabilities through improved escaping and input validation. The most significant change restricts JavaScript file uploads for users without the unfiltered_html capability, which enhances security but may affect some workflows. The release also fixes PHP notices related to the AUTH_SALT constant, ensuring more stable operation. Site administrators should update immediately to protect their installations from potential security exploits. This release maintains backward compatibility and should not break existing functionality when upgrading from previous 4.5.x versions.