HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

WordPress

>

Releases

>

4.5.28

WordPress Release: 4.5.28

Tag Name: 4.5.28

Release Date: 10/17/2022

View Release
WordPress LogoWordPress

World's most popular open-source content management system powering over 40% of all websites. Offers extensive plugin ecosystem, themes, and robust community support for blogs, e-commerce, and corporate websites. Highly customizable and scalable platform suitable for beginners and advanced developers.

Open SourceBloggingWebsite Builder

TL;DR

WordPress 4.5.28 Security Release

This maintenance release focuses primarily on security enhancements for WordPress 4.5. It introduces strings to indicate security support status for WordPress versions and includes multiple security fixes related to content sanitization, input validation, and email handling. This release is crucial for sites still running WordPress 4.5, as it addresses several vulnerabilities that could be exploited by malicious actors.

Highlight of the Release

    • Introduction of strings to indicate security support status for WordPress versions
    • Multiple security fixes for content sanitization and input validation
    • Enhanced email handling security
    • Improved protection against XSS vulnerabilities

Migration Guide

No specific migration steps are required for this security update. Simply update to WordPress 4.5.28 following the standard WordPress update procedure:

  1. Back up your website files and database
  2. Update through the WordPress dashboard or via manual update
  3. Verify your site is functioning correctly after the update

Note that WordPress 4.5 is an older branch and users are strongly encouraged to update to the latest WordPress version for full security coverage and feature support.

Upgrade Recommendations

This is a critical security update for sites still running WordPress 4.5. All users should update immediately to WordPress 4.5.28.

However, it's important to note that WordPress 4.5 is an older branch with limited support. For optimal security and functionality, users are strongly encouraged to upgrade to the latest WordPress version available.

If you're unable to upgrade to the latest WordPress version due to compatibility concerns, this update provides essential security fixes for the 4.5 branch, but you should plan to upgrade to a more recent version as soon as possible.

Bug Fixes

Security Fixes

  • Content Sanitization:

    • Applied KSES (HTML filtering) to post-by-email content
    • Applied KSES to all trackbacks
    • Applied KSES when editing comments
    • Escaped blogname option in underscores templates
    • Escaped RSS error messages for display

  • Input Validation:

    • Validated host on "Are you sure?" screen
    • Validated relation parameter in WP_Date_Query

  • Email Security:

    • Removed emails from post-by-email logs
    • Reset PHPMailer properties between use to prevent information leakage

New Features

New Support Status Indicators

  • Added new strings to indicate the security support status of WordPress versions
  • These strings will be used in future maintenance/security releases to:
    • Indicate when a WordPress version is no longer receiving security updates
    • Warn users when a WordPress version will shortly stop receiving security updates
  • This change makes these strings available to translators in advance of their implementation

Security Updates

Security Vulnerabilities Addressed

This release addresses multiple security vulnerabilities:

  • XSS Prevention:

    • Fixed potential XSS vulnerabilities by applying proper escaping to:
      • RSS error messages in widgets
      • Blogname option in underscores templates
      • Comment content when editing

  • Content Injection Prevention:

    • Applied KSES filtering to post-by-email content and trackbacks to prevent malicious content injection

  • Information Disclosure Prevention:

    • Removed email addresses from post-by-email logs
    • Reset PHPMailer properties between uses to prevent information leakage

  • Input Validation:

    • Added validation for host on confirmation screens
    • Added validation for relation parameter in WP_Date_Query to prevent potential SQL injection

Performance Improvements

No specific performance improvements were mentioned in this security-focused release.

Impact Summary

WordPress 4.5.28 is primarily a security maintenance release that addresses multiple vulnerabilities related to content sanitization, input validation, and email handling. The release introduces strings for indicating security support status, which will be used in future releases to inform users when their WordPress version is no longer receiving or will soon stop receiving security updates.

The security fixes in this release protect against several potential attack vectors including XSS vulnerabilities, content injection, information disclosure, and SQL injection. These improvements significantly enhance the security posture of WordPress 4.5 installations.

While this update is crucial for sites still running WordPress 4.5, it's important to note that this is an older branch with limited support. Users should consider this release as a temporary security measure while planning to upgrade to a more recent WordPress version that receives full security support and feature updates.

Statistics:

File Changed14
Line Additions87
Line Deletions14
Line Changes101
Total Commits4

User Affected:

  • Benefit from improved security against potential vulnerabilities
  • Should update immediately to protect their sites
  • Will see new security support status indicators in future maintenance releases

Contributors:

peterwilsonccSergeyBiryukov