WordPress Release: 4.6.13

TL;DR

WordPress 4.6.13 is a security and maintenance release that addresses several important security vulnerabilities and improves the platform's stability. This update focuses on enhancing MIME file type verification, improving KSES security handling, fixing multisite activation issues, and preventing unauthorized post field updates. These changes strengthen WordPress's security posture against potential exploits and improve the overall user experience.

Highlight of the Release

• Enhanced security for MIME file type verification in media uploads
• Improved KSES security handling with conditional removal of form elements
• Better multisite activation experience with improved messaging and validation
• Prevention of unauthorized updates to sensitive post fields
• New centralized function for URI attributes in KSES

Migration Guide

No specific migration steps are required for this maintenance and security release. As with any WordPress update, it's recommended to:

1. Back up your website before updating
2. Update all themes and plugins to their latest versions
3. Test functionality after updating, especially if you have custom code that interacts with:
   • Media uploads and MIME type handling
   • KSES filtering and allowed HTML tags
   • Multisite activation processes
   • Post editing and saving

Upgrade Recommendations

Immediate Upgrade Recommended

This release contains several important security fixes that protect against potential vulnerabilities in WordPress core. All WordPress site administrators should upgrade to version 4.6.13 immediately to ensure their sites remain secure.

If you're running an older version of WordPress (4.6.x), this update is especially important as it addresses security issues that could potentially be exploited.

For users on newer major versions of WordPress (4.7 or later), these security fixes have likely been incorporated into your version's security updates, but you should ensure you're running the latest point release of your WordPress version.

Bug Fixes

Multisite Activation Improvements

• Fixed an issue where users could attempt to activate a site multiple times, resulting in confusing messaging
• Improved handling of previously activated users with clearer feedback
• Enhanced validation of activation links to prevent potential issues

KSES Security Handling

• Conditionally removed the <form> element from $allowedposttags to improve security
• Added backward compatibility check that re-adds <form> if custom filters have added <input> or <select> elements
• Removed invalid data from test data provider for media tests

Post Editor Security

• Removed unwanted fields (meta_input, file, and guid) before saving posts to prevent unauthorized updates through user input

New Features

New Centralized Function for URI Attributes

WordPress 4.6.13 introduces the new wp_kses_uri_attributes function that centralizes the list of URI attributes in KSES. This implementation follows the DRY (Don't Repeat Yourself) principle to prevent inconsistencies in attribute handling across the codebase.

Additionally, a new filter wp_kses_uri_attributes has been added, providing developers with a way to customize which attributes are treated as URI attributes in KSES filtering.

Security Updates

Media Upload Security

• Improved verification of MIME file types to prevent potential security vulnerabilities related to file uploads

KSES Security Enhancements

• Conditionally removed the <form> element from $allowedposttags to prevent potential XSS vulnerabilities
• Centralized URI attribute handling with the new wp_kses_uri_attributes function for more consistent security filtering
• Added backward compatibility measures to maintain functionality for sites with custom KSES filters

Post Data Protection

• Added protection against unauthorized updates to sensitive post fields (meta_input, file, and guid) that are not intended to be modified through user input

Multisite Security

• Improved validation of activation links in multisite installations to prevent potential security issues

Performance Improvements

KSES Improvements

The implementation of the DRY principle for URI attributes in KSES not only improves security but also makes the code more maintainable and potentially more efficient by centralizing attribute handling in one location rather than duplicating it across multiple functions.

Impact Summary

WordPress 4.6.13 is primarily a security-focused release that addresses several potential vulnerabilities while also improving the user experience in multisite environments. The security enhancements focus on three key areas:

1. Media handling - Improved MIME file type verification to prevent potential security issues with uploaded files
2. KSES filtering - Enhanced HTML filtering with better handling of form elements and URI attributes
3. Post data protection - Prevention of unauthorized updates to sensitive post fields

For multisite administrators, the release improves the activation process with better messaging and validation of activation links. Developers will benefit from the new centralized function for URI attributes, which follows best practices by implementing the DRY principle.

While this is a maintenance release, the security improvements are significant and warrant immediate attention from all WordPress site administrators. The changes are focused on behind-the-scenes security enhancements rather than user-facing features, meaning most end users won't notice any differences after updating.