WordPress Release: 4.5.21

TL;DR

WordPress 4.5.21 is a maintenance and security release that addresses several important issues. It includes security fixes for the Cache API, improvements to user account security, better handling of UTF-8 characters in filenames, and removal of outdated test code. This release focuses on enhancing security, improving internationalization support, and maintaining code quality.

Highlight of the Release

• Enhanced security for user accounts by invalidating activation keys on password updates
• Improved Cache API security with proper escaping in the stats method
• Better support for international filenames with enhanced UTF-8 character handling
• Fixed query handling to ensure only a single post is returned on date/time based queries

Migration Guide

No specific migration steps are required for this maintenance release. WordPress 4.5.21 can be installed as a standard update without any special considerations or actions needed before or after the update.

Upgrade Recommendations

This release contains important security fixes and is recommended for all WordPress 4.5.x users. Given the security improvements included in this update, it is strongly advised to update your WordPress installation as soon as possible.

For users on older versions of WordPress, this update addresses specific security concerns in the 4.5 branch, but upgrading to the latest major version of WordPress is still recommended for access to all current features and security improvements.

Bug Fixes

• Query Handling: Fixed an issue where multiple posts could be returned on date/time based queries when only a single post should be returned.
• File Name Sanitization: Enhanced sanitize_file_name function to provide better support for UTF-8 characters, improving internationalization capabilities.
• Test Code Cleanup: Removed unused ::assertPostHasTerms() method from tests/term.php as the associated test was previously removed.

New Features

No significant new features were introduced in this maintenance release. WordPress 4.5.21 focuses primarily on security enhancements, bug fixes, and code improvements.

Security Updates

• User Account Security: Enhanced security by ensuring that user activation keys are now properly invalidated when passwords are updated, preventing potential security vulnerabilities.
• Cache API Security: Improved security in the Cache API by implementing proper escaping around the stats method, protecting against potential injection attacks.
• Query Security: Fixed a potential security issue by ensuring that only a single post can be returned on date/time based queries, preventing unintended data exposure.

Performance Improvements

No specific performance improvements were highlighted in this release. The changes were primarily focused on security enhancements, bug fixes, and code maintenance.

Impact Summary

WordPress 4.5.21 is primarily a security-focused maintenance release that addresses several important vulnerabilities and bugs. The most significant changes improve user account security by properly invalidating activation keys on password updates and enhance the Cache API security with proper escaping.

The release also improves internationalization support with better handling of UTF-8 characters in filenames and fixes query handling to ensure proper results for date/time based queries.

While this update doesn't introduce new features, it strengthens the security posture of WordPress 4.5.x installations and improves reliability. The changes are particularly important for sites with international content and those concerned about security best practices.

This maintenance release demonstrates WordPress's ongoing commitment to security and stability in older supported versions, ensuring that sites that haven't yet upgraded to newer major versions remain as secure as possible.