WordPress Release: 4.5.16

TL;DR

WordPress 4.5.16 is a security and maintenance release that addresses several important security vulnerabilities and improves the platform's stability. This update focuses on enhancing media file type verification, improving KSES security for allowed HTML tags, fixing multisite activation issues, and preventing unwanted data manipulation in post editing.

This release is critical for all WordPress site owners as it patches multiple security vulnerabilities that could potentially be exploited. The changes primarily affect media handling, HTML filtering, multisite user activation, and post editing functionality.

Highlight of the Release

• Improved security for media uploads with better MIME file type verification
• Enhanced KSES HTML filtering to prevent potential security vulnerabilities
• Fixed multisite user activation issues and improved messaging
• Protected post editing from unwanted data manipulation
• Added new developer API for customizing URI attributes in KSES

Migration Guide

This is a security and maintenance release that doesn't require any specific migration steps. Simply update to WordPress 4.5.16 through your WordPress dashboard or by downloading the update from wordpress.org.

If you've customized KSES filtering in your theme or plugins, particularly if you've modified allowed HTML tags or URI attributes, you should test your customizations after updating to ensure they still work as expected with the new KSES improvements.

Upgrade Recommendations

Priority: High - Security Update

All WordPress site owners should update to version 4.5.16 immediately. This release contains important security fixes that address multiple vulnerabilities that could potentially be exploited.

The update process should be straightforward and shouldn't affect your existing content or settings. As always, it's recommended to back up your site before performing any update.

If you're running a version older than 4.5.15, you should consider updating to the latest WordPress version available, as the 4.5.x branch is quite old and may not receive future updates.

Bug Fixes

• Multisite Activation: Fixed issues with user activation on multisite installations:

  • Improved messaging for previously activated users
  • Prevented multiple activation attempts for the same user
  • Enhanced validation of activation links

• KSES HTML Filtering:

  • Conditionally removed the <form> element from $allowedposttags while maintaining backward compatibility
  • Re-adds <form> if custom filters have added <input> or <select> elements

• Media Tests: Removed invalid data from test data provider for media functionality

• Post Editing: Fixed security issue by removing unwanted fields (meta_input, file, and guid) before saving posts, as these fields are not intended to be updated through user input

New Features

New Developer APIs

• KSES URI Attributes API: Added new wp_kses_uri_attributes function and filter that centralizes the list of URI attributes. This provides a more consistent approach to handling URI attributes and allows developers to customize them through the filter.

Security Updates

• Media Upload Security: Improved verification of MIME file types to prevent potential security vulnerabilities related to uploading malicious files.

• KSES HTML Filtering:

  • Enhanced security by conditionally removing the <form> element from allowed post tags
  • Made URI attributes handling more secure and consistent
  • Centralized URI attributes list to prevent inconsistencies that could lead to security issues

• Post Editing Protection: Added security measures to prevent manipulation of sensitive post data by removing meta_input, file, and guid fields before saving posts

• Multisite Activation: Improved validation of activation links to prevent potential security issues in multisite installations

Performance Improvements

• KSES HTML Filtering: Made the URI attributes handling more efficient by centralizing the list of attributes through the new wp_kses_uri_attributes function, reducing code duplication and improving maintainability.

Impact Summary

WordPress 4.5.16 is primarily a security-focused maintenance release that addresses several important vulnerabilities and bugs. The most significant changes involve improved security for media uploads through better MIME type verification, enhanced KSES HTML filtering to prevent potential security issues, and fixes for multisite user activation.

For site administrators and content creators, this update provides important protections against potential security threats without changing the user experience. The improvements to MIME type verification help prevent malicious file uploads, while the KSES enhancements provide better protection against potentially harmful HTML.

For developers, the release introduces a new API for handling URI attributes in KSES filtering, making the code more maintainable and providing a hook for customization. The conditional handling of form elements in allowed post tags also maintains backward compatibility while improving security.

Multisite network administrators will benefit from improved user activation processes, with better validation of activation links and clearer messaging for users who attempt to activate multiple times.

Overall, this is an important security update that should be applied promptly to all WordPress installations to maintain site security and stability.