WordPress Release: 4.5.29

TL;DR

WordPress 4.5.29 is a maintenance and security release that addresses several important issues. It includes security fixes for CSRF vulnerabilities in attachment thumbnails and adds protocol validation for WordPress embed code. The update also improves testing infrastructure by refactoring HTTP redirect tests and updates GitHub Actions workflows to ensure continued compatibility with modern CI/CD practices. Additionally, it adds new translation strings for end-of-life notifications in future updates.

Highlight of the Release

• Security fix for CSRF vulnerability in attachment thumbnails
• Added protocol validation for WordPress embed code
• Improved HTTP redirect testing without external dependencies
• Added new translation strings for end-of-life notifications
• Updated GitHub Actions workflows for better CI/CD compatibility

Migration Guide

No specific migration steps are required for this update. This is a maintenance and security release that should be applied to all WordPress 4.5.x installations.

To update:

1. Back up your website files and database
2. Update through the WordPress admin dashboard or download the update from wordpress.org
3. Verify your site functionality after the update

No changes to themes or plugins should be necessary as a result of this update.

Upgrade Recommendations

Immediate Upgrade Recommended

This release contains important security fixes that address CSRF vulnerabilities in attachment thumbnails and add protocol validation for WordPress embed code.

All WordPress 4.5.x users should update to version 4.5.29 immediately to protect their sites from these security vulnerabilities.

Note that WordPress 4.5.x is an older branch of WordPress and is no longer receiving regular feature updates. For the best experience, security, and features, users are strongly encouraged to upgrade to the latest major version of WordPress.

Bug Fixes

HTTP Redirect Testing Improvements

The test for handling multiple location headers in HTTP redirects has been refactored to no longer depend on wordpress.org as an external dependency. The test now directly calls the WP_HTTP::handle_redirects() method with a mocked array of HTTP headers containing multiple location headers. This test has been moved from the external-http group to the http test group as it no longer makes an HTTP request.

New Features

New Translation Strings for End-of-Life Notifications

New translation strings have been added to about.php for use when releasing the final version of WordPress on a particular branch. These strings will allow for proper localization of end-of-life update notifications, ensuring users worldwide receive important information about their WordPress installation's lifecycle in their preferred language.

Security Updates

Critical Security Fixes

This release includes important security fixes:

1. Media: Prevention of CSRF in Attachment Thumbnails

   • Fixed a Cross-Site Request Forgery (CSRF) vulnerability that could potentially allow unauthorized setting of attachment thumbnails

2. Embeds: Protocol Validation for WordPress Embed Code

   • Added protocol validation for WordPress Embed code to prevent potential security issues with malicious embeds

Performance Improvements

GitHub Actions Workflow Optimizations

Multiple improvements to GitHub Actions workflows have been backported to ensure continued functionality and performance:

• Addressed deprecated notices related to save-output and set-output commands
• Added support for automatically retrying failed workflows once
• Removed workflow files not applicable to the branch
• Updated Docker environment related tooling for consistency across branches

These changes ensure that CI/CD processes continue to run efficiently and reliably, preventing potential build failures due to deprecated GitHub Actions features.

Impact Summary

WordPress 4.5.29 is primarily a security and maintenance release that addresses important vulnerabilities while improving the testing infrastructure and translation capabilities.

The security fixes address CSRF vulnerabilities in attachment thumbnails and add protocol validation for WordPress embed code, which are critical for maintaining site security. These changes protect site administrators from potential attacks that could compromise their WordPress installations.

The testing improvements, particularly the refactoring of HTTP redirect tests to remove external dependencies, enhance the reliability of WordPress's testing infrastructure. This change makes tests more consistent and less prone to failures due to external factors.

The addition of new translation strings for end-of-life notifications improves the user experience for international WordPress users, ensuring they receive important lifecycle information in their preferred language.

The GitHub Actions workflow updates ensure that the continuous integration and deployment processes continue to function correctly with modern GitHub features, which is important for ongoing development and maintenance of the WordPress codebase.

Overall, while this release doesn't introduce major new features, it significantly improves the security, stability, and maintainability of WordPress 4.5.x installations.