WordPress Release: 4.5.23

TL;DR

WordPress 4.5.23 brings important security updates and bug fixes

This maintenance release focuses on security improvements across multiple WordPress components including XML-RPC, embeds, and meta handling. It enhances error messages for unprivileged users, improves deserialization security, and fixes several potential vulnerabilities. The update also includes administration screen improvements for backward compatibility and better documentation. This is primarily a security-focused release that all WordPress 4.5.x users should apply immediately.

Highlight of the Release

• Security improvements in XML-RPC, embeds, and meta handling
• Enhanced error messages for unprivileged users
• Disabled deserialization in Requests_Utility_FilteredIterator for better security
• New set_screen_option_{$option} filter for backward compatibility
• Improved parameter naming in screen option filters for better clarity

Migration Guide

No specific migration steps are required for this update. This is a maintenance and security release that maintains backward compatibility with previous WordPress 4.5.x versions.

To update to WordPress 4.5.23:

1. Back up your WordPress files and database
2. Download the update from the WordPress dashboard or from wordpress.org
3. Follow the standard WordPress update procedure

For developers who have implemented custom screen options handling, note that the parameter name has changed from $keep to $screen_option in relevant filters, though backward compatibility is maintained.

Upgrade Recommendations

Priority: High - Security Update

All WordPress 4.5.x users should update to version 4.5.23 immediately due to the security improvements included in this release. The update addresses several potential vulnerabilities in XML-RPC, embeds, and meta handling.

While WordPress 4.5.x is an older branch and not the latest major version, this security update is important for sites that haven't yet upgraded to newer major versions.

For long-term security and feature improvements, consider upgrading to the latest WordPress major version when possible.

Bug Fixes

General Bug Fixes

• Fixed issue with screen option handling in administration screens (fixes #50392)
• Improved logic check when determining installation status during upgrade/install process
• Fixed potential issues with meta key handling by ensuring proper sanitization before checking protection status
• Resolved issue with background image setting to ensure only privileged users can set a background image when a theme is using the deprecated custom background page

New Features

Administration Screen Improvements

• Added new set_screen_option_{$option} filter to ensure backward compatibility with existing implementations
• Renamed the $keep parameter to $screen_option in both screen option filters for better clarity
• Updated documentation to better reflect the purpose of screen option filters

Error Message Enhancements

• Improved error messages for unprivileged users in XML-RPC
• Better error reporting when attachment ID is incorrect in XML-RPC requests

Security Updates

Security Enhancements

• XML-RPC Security: Improved error messages for unprivileged users to prevent information disclosure
• XML-RPC Validation: Added better error handling when attachment ID is incorrect
• Deserialization Protection: Disabled deserialization in Requests_Utility_FilteredIterator to prevent potential object injection attacks
• Embed Security: Disabled embeds on deactivated Multisite sites to prevent potential misuse
• Escaping Functions: Modified escaping functions to avoid potential false positives that could lead to security issues
• Meta Protection: Enhanced sanitization of meta keys before checking protection status
• Theme Security: Improved validation to ensure only privileged users can set a background image when a theme uses the deprecated custom background page

Performance Improvements

No significant performance improvements were specifically mentioned in this release. The focus appears to be on security enhancements and bug fixes rather than performance optimizations.

Impact Summary

WordPress 4.5.23 is primarily a security-focused maintenance release that addresses several potential vulnerabilities across different WordPress components. The update improves security in XML-RPC handling, embeds functionality, meta processing, and theme background image settings.

For developers, the release introduces a new filter set_screen_option_{$option} to ensure backward compatibility and renames parameters in screen option filters for better clarity. Documentation has also been improved to better explain the purpose of these filters.

For administrators, particularly those managing multisite installations, the release enhances security by disabling embeds on deactivated sites and improving error messages for unprivileged users.

This update maintains backward compatibility with previous 4.5.x versions while addressing important security concerns. No major features or breaking changes are introduced, making this a straightforward but important security update for all WordPress 4.5.x users.