HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

WordPress

>

Releases

>

4.5.9

WordPress Release: 4.5.9

Tag Name: 4.5.9

Release Date: 5/16/2017

View Release
WordPress LogoWordPress

World's most popular open-source content management system powering over 40% of all websites. Offers extensive plugin ecosystem, themes, and robust community support for blogs, e-commerce, and corporate websites. Highly customizable and scalable platform suitable for beginners and advanced developers.

Open SourceBloggingWebsite Builder

TL;DR

WordPress 4.5.9 is a security and maintenance release that addresses several important security vulnerabilities and includes improvements to the build and testing infrastructure. This update focuses on enhancing security by adding nonces for file system operations, whitelisting post arguments in XML-RPC, and fixing issues with post meta checks and customization sessions. The release also improves the development workflow with Travis CI enhancements and Slack integration.

Highlight of the Release

    • Added nonce verification for file system credential updates to enhance security
    • Whitelisted post arguments in XML-RPC to prevent potential security issues
    • Fixed issues with post meta checks
    • Improved handling of invalid customization sessions
    • Enhanced Travis CI build process with caching and Slack integration

Migration Guide

This is a security and maintenance release that doesn't require any specific migration steps. Simply update to WordPress 4.5.9 using the standard WordPress update process:

  1. Back up your website before updating
  2. Update through the WordPress admin dashboard (Dashboard → Updates)
  3. Alternatively, download the update from wordpress.org and perform a manual update

No database schema changes or template modifications are required for this update.

Upgrade Recommendations

Immediate upgrade recommended for all WordPress 4.5.x installations.

This release contains important security fixes that address several vulnerabilities. All WordPress site administrators running version 4.5.8 or earlier should update immediately to version 4.5.9 to ensure their sites remain secure.

For users on WordPress 4.6 or newer, these security fixes have been incorporated into subsequent releases, but it's always recommended to run the latest version of WordPress for optimal security and performance.

Bug Fixes

  • Customize API: Fixed issues with invalid customization sessions by adding proper validation and error handling.

  • PHPUnit Tests: Corrected logic inversion error in PHPUnit tests for the Customize API after previous changes.

  • Media Uploads: Simplified upload error message construction to provide clearer feedback when uploads fail.

New Features

Build and Testing Improvements

  • Travis CI Caching: Added Composer files to the Travis cache to speed up subsequent builds. The cache is specific to the branch and PHP version, resulting in faster build times once the cache is primed.

  • Slack Integration: Integrated Travis CI build results with Slack for the WordPress/wordpress-develop GitHub repository, providing better visibility into build status and enabling quicker response to build failures.

Security Updates

  • File System Operations: Added nonce verification for updating file system credentials, preventing potential CSRF attacks.

  • XML-RPC Security: Implemented whitelisting for post arguments in XML-RPC to prevent potential security vulnerabilities.

  • Post Meta Handling: Adjusted post meta checks to enhance security and prevent unauthorized access to post metadata.

  • Customizer Security: Improved handling of invalid customization sessions to prevent potential security issues.

Performance Improvements

  • Build Process: Optimized the Travis CI build process by implementing caching for Composer files, which reduces the time needed for subsequent builds.

  • Error Handling: Streamlined error message construction for media uploads, potentially improving performance during error conditions.

Impact Summary

WordPress 4.5.9 is primarily a security-focused maintenance release that addresses several important vulnerabilities while also improving the development infrastructure. The security enhancements include adding nonce verification for file system operations, implementing XML-RPC argument whitelisting, fixing post meta checks, and improving customization session handling.

For site administrators, this update significantly improves security posture without requiring any configuration changes or introducing breaking changes. The fixes for XML-RPC and file system operations address potential attack vectors that could be exploited in earlier versions.

For developers, the improvements to the build and testing infrastructure with Travis CI caching and Slack integration enhance the development workflow, though these changes don't affect production sites directly.

Content creators will benefit from improved security for post operations and clearer error messages when media uploads fail. Overall, this release represents an important security update that maintains compatibility with existing themes and plugins while addressing several security concerns.

Statistics:

File Changed13
Line Additions116
Line Deletions33
Line Changes149
Total Commits10

User Affected:

  • Enhanced security for file system operations with added nonce verification
  • Improved protection against potential XML-RPC vulnerabilities
  • Fixed issues with post meta handling

Contributors:

johnbillionaaronjorbinswissspidyocean90westonruteraaroncampbell