HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

WordPress

>

Releases

>

4.5.18

WordPress Release: 4.5.18

Tag Name: 4.5.18

Release Date: 9/4/2019

View Release
WordPress LogoWordPress

World's most popular open-source content management system powering over 40% of all websites. Offers extensive plugin ecosystem, themes, and robust community support for blogs, e-commerce, and corporate websites. Highly customizable and scalable platform suitable for beginners and advanced developers.

Open SourceBloggingWebsite Builder

TL;DR

WordPress 4.5.18 is a security and maintenance release that addresses several important security vulnerabilities and improves URL handling. This update includes multiple security fixes for URL validation, sanitization, and output escaping, along with a critical jQuery security patch backported from jQuery 3.4.0. The release focuses primarily on hardening WordPress against potential security exploits while maintaining compatibility with the 4.5 branch.

Highlight of the Release

    • Multiple security fixes for URL validation and sanitization
    • Backport of critical jQuery security patch from jQuery 3.4.0
    • Improved handling of rel attributes in links
    • Enhanced output escaping in attachment uploads

Migration Guide

No migration steps are required for this update. WordPress 4.5.18 is a security and maintenance release that should not affect existing functionality. Simply update your WordPress installation through the admin dashboard or via your preferred method.

Upgrade Recommendations

This is a security release that addresses multiple vulnerabilities. It is strongly recommended that all WordPress sites running version 4.5.x update to 4.5.18 immediately.

The security fixes in this release address important vulnerabilities related to URL handling, content sanitization, and jQuery. These updates are critical for maintaining the security of your WordPress site.

For sites on older branches of WordPress, consider upgrading to the latest supported version for the most comprehensive security protection.

Bug Fixes

  • Fixed URL sanitization in wp_kses_bad_protocol_once() to properly handle malformed URLs
  • Removed _convert_urlencoded_to_entities() from the get_the_content() callback to fix content handling
  • Improved handling of existing rel attributes in wp_rel_nofollow_callback() to properly maintain attributes
  • Enhanced URL validation in wp_validate_redirect() to prevent potential security issues
  • Added proper output escaping in wp_ajax_upload_attachment() to prevent XSS vulnerabilities

New Features

No new features were added in this release. WordPress 4.5.18 is primarily a security and maintenance release focused on addressing security vulnerabilities and improving existing functionality.

Security Updates

  • jQuery Security Patch: Backported security fix from jQuery 3.4.0 to address potential vulnerabilities in jQuery's handling of HTML content
  • URL Validation: Improved URL validation in wp_validate_redirect() to prevent potential open redirect vulnerabilities
  • Output Escaping: Added proper escaping to the output in wp_ajax_upload_attachment() to prevent XSS attacks
  • URL Sanitization: Fixed URL sanitization in wp_kses_bad_protocol_once() to better handle malicious URLs
  • Attribute Handling: Improved handling of the existing rel attribute in wp_rel_nofollow_callback() to prevent potential security issues

Performance Improvements

This release does not contain any specific performance improvements. The changes are primarily focused on security enhancements and bug fixes rather than performance optimizations.

Impact Summary

WordPress 4.5.18 is primarily a security-focused release that addresses several important vulnerabilities without introducing new features or breaking changes. The security fixes target URL validation, sanitization, and output escaping, along with a critical jQuery security patch.

The impact of this release is minimal for most users in terms of functionality changes, but significant for site security. The improvements to URL handling and validation functions enhance WordPress's resistance to potential attacks without affecting normal site operations.

For developers, the changes to URL handling functions like wp_validate_redirect() and wp_kses_bad_protocol_once() may require attention if custom code relies heavily on these functions. The jQuery security patch is particularly important as it addresses a vulnerability that could potentially affect many WordPress sites.

This release demonstrates WordPress's ongoing commitment to maintaining security for older branches while ensuring compatibility with existing sites.

Statistics:

File Changed18
Line Additions75
Line Deletions123
Line Changes198
Total Commits10

User Affected:

  • Should update immediately to protect sites from security vulnerabilities
  • No functionality changes that would affect day-to-day operations
  • Benefit from improved URL validation and sanitization

Contributors:

johnbillionSergeyBiryukovwhyisjakedesrosjazaozz