WordPress Release: 4.5.20

TL;DR

WordPress 4.5.20 is a security-focused maintenance release that patches a vulnerability in the wp_kses_bad_protocol() function. This update prevents attackers from bypassing security protocols by using the HTML5 named entity : in URI attributes. This is an important security fix that affects all WordPress 4.5.x installations and should be applied immediately to maintain site security.

Highlight of the Release

• Security fix for wp_kses_bad_protocol() to prevent bypassing security protocols using the HTML5 named entity : in URI attributes
• Backport of security patch from newer WordPress versions (r46895) to the 4.5 branch
• Maintenance update focused on security with no new features or functionality changes

Migration Guide

No migration steps are required for this update. This is a direct security patch that doesn't change any APIs or functionality.

To update:

1. Back up your WordPress site (files and database)
2. Update through the WordPress dashboard or download the update and install manually
3. No additional configuration changes are needed after updating

Upgrade Recommendations

Immediate Upgrade Recommended

All WordPress 4.5.x installations should be updated to version 4.5.20 immediately to address the security vulnerability in the wp_kses_bad_protocol() function.

While WordPress 4.5 is an older branch that reached end-of-life status some time ago, this security update is critical for any sites still running this version. However, for optimal security and features, upgrading to the latest major WordPress release is strongly recommended.

The update process should be straightforward with no expected compatibility issues:

• Backup your site before updating
• Update through the WordPress dashboard or via manual update
• No configuration changes required post-update

Bug Fixes

Security Bug Fix

Fixed a vulnerability in wp_kses_bad_protocol() that could allow attackers to bypass security protocols:

• Updated the function to properly recognize and handle the HTML5 named entity : in URI attributes
• Prevents potential security bypasses where malicious code could be injected using this entity encoding technique
• Backported from newer WordPress versions (r46895) to ensure 4.5.x branch installations remain secure

New Features

No new features were introduced in this release. WordPress 4.5.20 is strictly a security maintenance release focused on patching a vulnerability in the content filtering system.

Security Updates

Critical Security Fix

This release addresses a security vulnerability in WordPress's content filtering system:

• Fixed a vulnerability in wp_kses_bad_protocol() where attackers could potentially bypass security protocols by using the HTML5 named entity : in URI attributes
• This could potentially allow injection of malicious code or unauthorized protocols in certain contexts
• The fix ensures that all forms of colon representation (including HTML entities) are properly detected and validated when processing URI attributes
• This security patch was originally developed for newer WordPress versions and has been backported to the 4.5 branch

Props to xknown, nickdaugherty, and peterwilsoncc for identifying and addressing this security issue.

Performance Improvements

No specific performance improvements were included in this release. The update focuses exclusively on addressing the security vulnerability in the wp_kses_bad_protocol() function.

Impact Summary

WordPress 4.5.20 addresses a specific security vulnerability in the content filtering system that could potentially allow attackers to bypass security protocols by using HTML5 named entities in URI attributes. This is a targeted security fix that doesn't introduce any new features or change existing functionality.

The impact is primarily security-focused, with no changes to user experience, performance, or functionality. Site administrators should apply this update immediately to protect their WordPress installations from potential security exploits.

It's worth noting that WordPress 4.5 is an older branch, and while this security update is important for sites still running this version, the WordPress team generally recommends upgrading to the latest major release for comprehensive security and feature improvements.