HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

WordPress

>

Releases

>

4.6.26

WordPress Release: 4.6.26

Tag Name: 4.6.26

Release Date: 5/16/2023

View Release
WordPress LogoWordPress

World's most popular open-source content management system powering over 40% of all websites. Offers extensive plugin ecosystem, themes, and robust community support for blogs, e-commerce, and corporate websites. Highly customizable and scalable platform suitable for beginners and advanced developers.

Open SourceBloggingWebsite Builder

TL;DR

WordPress 4.6.26 is a maintenance and security release that addresses several important issues. It includes security fixes for CSRF vulnerabilities in attachment thumbnails and adds protocol validation for WordPress embed code. The update also improves testing infrastructure with refactored HTTP redirect tests and updates to GitHub Actions workflows. Additionally, it adds new translation strings for end-of-life notifications in future updates.

Highlight of the Release

    • Security fixes for CSRF vulnerabilities in attachment thumbnails
    • Added protocol validation for WordPress embed code
    • Refactored HTTP redirect tests to remove external dependencies
    • Added new translation strings for end-of-life notifications
    • Updated GitHub Actions workflows for improved CI/CD reliability

Migration Guide

No specific migration steps are required for this update. This is a maintenance and security release that can be applied through the standard WordPress update process.

As always, it's recommended to:

  1. Back up your website before updating
  2. Update all sites running WordPress 4.6.x to this latest version
  3. Test your site functionality after the update

Upgrade Recommendations

This release contains important security fixes. It is strongly recommended that all sites running WordPress 4.6.x update to version 4.6.26 as soon as possible.

The security fixes address CSRF vulnerabilities in attachment thumbnails and add protocol validation for WordPress embed code, which are critical for maintaining site security.

While WordPress 4.6 is an older branch, sites still running this version should update to this latest release while planning for an upgrade to a more recent major version of WordPress.

Bug Fixes

HTTP Redirect Test Refactoring

The test for handling multiple location headers in HTTP redirects has been refactored to no longer depend on wordpress.org as an external dependency. The test now calls the WP_HTTP::handle_redirects() method directly with a mocked array of HTTP headers containing multiple location headers. This test has been moved from the external-http group to the http test group as it no longer makes an HTTP request.

Security Fixes

  • Media: Fixed a CSRF vulnerability in setting attachment thumbnails.
  • Embeds: Added protocol validation for WordPress Embed code to prevent potential security issues.

New Features

New Translation Strings for End-of-Life Notifications

New translation strings have been added to about.php for use when releasing the final version of WordPress on a particular branch. These strings will be used to notify users when a branch reaches its end-of-life, providing clearer communication about support status.

Security Updates

Critical Security Fixes

This release includes important security fixes:

  1. Media Attachment CSRF Protection: Fixed a Cross-Site Request Forgery (CSRF) vulnerability in setting attachment thumbnails that could potentially allow unauthorized actions.

  2. Embed Code Protocol Validation: Added protocol validation for WordPress Embed code to prevent potential security issues with malicious embeds.

Performance Improvements

GitHub Actions Workflow Improvements

Several updates to GitHub Actions workflows have been backported to improve the reliability and performance of continuous integration processes:

  • Addressed deprecated notices related to save-output and set-output to ensure workflows continue to run after these features are removed
  • Added support for automatically retrying failed workflows once, reducing manual intervention
  • Removed workflow files not applicable to the branch
  • Backported Docker environment related tooling updates for consistency across branches

Impact Summary

WordPress 4.6.26 is primarily a security and maintenance release that addresses important vulnerabilities while improving the development infrastructure. The security fixes for CSRF in attachment thumbnails and protocol validation for embeds directly impact site security and should be applied promptly.

The changes to testing infrastructure, including the refactored HTTP redirect tests and GitHub Actions workflow improvements, benefit developers working with the codebase but don't affect end users directly.

The addition of new translation strings for end-of-life notifications prepares the way for clearer communication when this branch eventually reaches its end-of-life status.

Overall, this is an important update for security purposes, with minimal impact on day-to-day site operations. The release demonstrates WordPress's ongoing commitment to maintaining security even for older branches.

Statistics:

File Changed18
Line Additions391
Line Deletions74
Line Changes465
Total Commits5

User Affected:

  • Benefit from improved security against CSRF attacks in media attachment handling
  • Should update their WordPress installations to protect against security vulnerabilities
  • Will see new end-of-life notification strings when this branch reaches end-of-life

Contributors:

peterwilsonccdesrosjSergeyBiryukov