WordPress Release: 4.6.17

TL;DR

WordPress 4.6.17 is a security-focused maintenance release that patches a vulnerability in the wp_kses_bad_protocol() function. This update prevents attackers from bypassing security protocols by using the HTML5 named entity : in URI attributes. This is a critical security fix that all WordPress 4.6.x users should apply immediately to protect their sites from potential XSS attacks.

Highlight of the Release

• Security fix for wp_kses_bad_protocol() function to prevent bypassing security protocols
• Patched vulnerability related to HTML5 named entity : in URI attributes
• Critical update for all WordPress 4.6.x installations

Migration Guide

No migration steps are required for this update. Simply update your WordPress installation to version 4.6.17 through your admin dashboard or via manual update procedures.

This is a direct update with no breaking changes or modifications to existing functionality beyond the security fix.

Upgrade Recommendations

Immediate Upgrade Recommended

All users running WordPress 4.6.x are strongly recommended to update immediately to version 4.6.17.

This release contains a critical security fix that addresses a vulnerability in the wp_kses_bad_protocol() function. Failing to update could leave your site vulnerable to potential cross-site scripting (XSS) attacks.

While WordPress 4.6.x is an older branch and most sites should be running more recent major versions, any sites still on this branch should apply this security update as soon as possible, even if planning to upgrade to a newer major version in the near future.

Bug Fixes

Security Bug Fix

Fixed a vulnerability in the wp_kses_bad_protocol() function that could allow attackers to bypass security protocols by using the HTML5 named entity : in URI attributes. This could potentially lead to cross-site scripting (XSS) attacks.

The fix ensures that the function properly recognizes and handles the : entity when validating URI attributes, preventing security bypasses.

New Features

No new features were introduced in this release. WordPress 4.6.17 is strictly a security maintenance release focused on patching a vulnerability in the wp_kses_bad_protocol() function.

Security Updates

Critical Security Fix

This release patches a vulnerability in the wp_kses_bad_protocol() function that could allow malicious actors to bypass WordPress's content filtering system. The function is responsible for validating that URI attributes don't contain invalid or disallowed protocols.

The vulnerability existed because the function did not properly recognize the HTML5 named entity : in URI attributes. This could potentially allow attackers to inject malicious code through specially crafted URIs, bypassing WordPress's content sanitization mechanisms.

This security fix ensures that wp_kses_bad_protocol() properly identifies and handles the : entity, closing this security loophole.

Props to xknown, nickdaugherty, and peterwilsoncc for identifying and fixing this security issue.

Performance Improvements

No specific performance improvements were included in this release. WordPress 4.6.17 focuses exclusively on addressing the security vulnerability in the wp_kses_bad_protocol() function.

Impact Summary

WordPress 4.6.17 addresses a significant security vulnerability that could allow attackers to bypass WordPress's content filtering system by exploiting how the wp_kses_bad_protocol() function handles the HTML5 named entity : in URI attributes.

This is a targeted security release with minimal code changes (45 additions, 3 deletions across 5 files) focused exclusively on fixing this vulnerability. The update has no impact on normal site functionality or performance and requires no configuration changes after updating.

For site administrators, this update is critical but transparent - once applied, it silently protects against a specific attack vector without changing how WordPress functions for legitimate users. Developers working with WordPress security functions should take note of this vulnerability pattern for their own code that handles URI validation.