WordPress Release: 4.6.15

TL;DR

WordPress 4.6.15 is primarily a security-focused maintenance release that addresses several important vulnerabilities. This update includes fixes for URL validation, content sanitization, and jQuery security issues. It also includes improvements to the build and test infrastructure. This release is critical for all WordPress 4.6.x installations to maintain site security and prevent potential exploits.

Highlight of the Release

• Security improvements for URL validation and sanitization
• Backported security patch from jQuery 3.4.0
• Fixed attachment upload security issue
• Improved handling of rel attributes in links

Migration Guide

No specific migration steps are required for this maintenance release. Simply update your WordPress installation to version 4.6.15 through your admin dashboard or via manual update. As this is primarily a security release, no changes to themes, plugins, or custom code should be necessary.

Upgrade Recommendations

This release contains important security fixes, and it is strongly recommended that all sites running WordPress 4.6.x update to version 4.6.15 as soon as possible.

While WordPress 4.6 is no longer receiving active feature development, security updates are still being provided for this branch. However, for the best experience and most up-to-date security features, users should consider upgrading to the latest major version of WordPress.

Bug Fixes

• Fixed issues with URL sanitization in wp_kses_bad_protocol_once() to prevent potential security vulnerabilities
• Improved handling of existing rel attributes in wp_rel_nofollow_callback() to ensure proper attribute handling
• Removed _convert_urlencoded_to_entities() from the get_the_content() callback to fix potential issues with content processing
• Addressed build and test infrastructure issues by switching npm dependency caching strategy on Travis CI

New Features

No significant new features were added in this maintenance release. WordPress 4.6.15 focuses on security fixes and improvements to existing functionality rather than introducing new features.

Security Updates

• Attachment Upload Security: Improved escaping of output in wp_ajax_upload_attachment() to prevent potential XSS vulnerabilities
• URL Validation: Enhanced URL validation in wp_validate_redirect() to prevent potential open redirect vulnerabilities
• URL Sanitization: Fixed issues with URL sanitization in wp_kses_bad_protocol_once() to prevent potential security vulnerabilities
• jQuery Security: Backported security patch from jQuery 3.4.0 to address potential prototype pollution vulnerabilities (fixes #47020)

Performance Improvements

This release includes minor performance improvements through the optimization of CI jobs on the 4.6 branch. The removal of the PHP 5.6 job without object cache in place streamlines the testing process. However, there are no significant end-user performance improvements in this maintenance release.

Impact Summary

WordPress 4.6.15 is a security-focused maintenance release that addresses several important vulnerabilities that could potentially be exploited on unpatched sites. The security improvements focus on URL validation, content sanitization, and fixing a jQuery security issue.

The changes in this release are primarily under-the-hood fixes that improve the security posture of WordPress installations without changing the user interface or functionality. Site administrators should update promptly to protect their sites from potential security threats.

For developers, the most notable changes are improvements to URL validation in wp_validate_redirect(), fixes to URL sanitization in wp_kses_bad_protocol_once(), and the backported security patch from jQuery 3.4.0. These changes help prevent potential security issues like open redirect vulnerabilities and XSS attacks.

While this is an important security update, it does not introduce any breaking changes that would affect themes, plugins, or custom code built for WordPress 4.6.x.