HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

WordPress

>

Releases

>

4.6.4

WordPress Release: 4.6.4

Tag Name: 4.6.4

Release Date: 3/6/2017

View Release
WordPress LogoWordPress

World's most popular open-source content management system powering over 40% of all websites. Offers extensive plugin ecosystem, themes, and robust community support for blogs, e-commerce, and corporate websites. Highly customizable and scalable platform suitable for beginners and advanced developers.

Open SourceBloggingWebsite Builder

TL;DR

WordPress 4.6.4 is a security and maintenance release that addresses several important security vulnerabilities. This update includes fixes for video and audio metadata validation, URL encoding for YouTube embeds, plugin deletion security, redirect validation, and Press This functionality. These changes enhance the security posture of WordPress sites by preventing potential exploits and ensuring broader compatibility with embedded content.

Highlight of the Release

    • Security improvements for plugin deletion operations
    • Enhanced validation for video and audio metadata
    • URL encoding for YouTube video IDs to improve compatibility
    • Improved redirect validation with control character stripping
    • Security enhancement for Press This functionality

Migration Guide

No migration steps are required for this update. WordPress 4.6.4 is a security release that can be applied directly to existing WordPress 4.6.x installations without any special migration procedures.

To update:

  1. Back up your website files and database
  2. Update through the WordPress admin dashboard or download the update from wordpress.org
  3. No additional configuration changes are needed after update

Upgrade Recommendations

This is a critical security update that addresses multiple security vulnerabilities. All WordPress users running version 4.6.x are strongly recommended to update immediately to version 4.6.4.

If you're running an older version of WordPress, consider updating to the latest version (beyond 4.6.4) for additional security improvements and features. However, if you must remain on the 4.6 branch, this update is essential for maintaining site security.

WordPress sites configured for automatic background updates should receive this update automatically.

Bug Fixes

Security and Bug Fixes

  • Plugin Deletion Security: Added file verification checks during plugin deletion operations to prevent potential security issues
  • Redirect Validation: Improved the redirect validation process by stripping control characters before validation, preventing potential bypass techniques
  • Press This Security: Enhanced security in the Press This tool by verifying user intent before fetching in-page resources
  • Video and Audio Metadata: Fixed validation issues with video and audio metadata that could potentially be exploited
  • YouTube Embed Compatibility: Resolved issues with YouTube video embeds by properly URL encoding video IDs, ensuring broader compatibility with videos that contain special characters in their IDs

New Features

No new features were introduced in this release as WordPress 4.6.4 is primarily a security and maintenance update focused on fixing vulnerabilities and improving existing functionality.

Security Updates

  • Plugin Deletion Vulnerability: Added additional file verification checks during plugin deletion operations to prevent potential security exploits
  • Redirect Validation Enhancement: Implemented control character stripping before validating redirects to prevent bypass techniques that could lead to malicious redirects
  • Press This Security Improvement: Added intent verification before fetching in-page resources using Press This, preventing potential cross-site request forgery attacks
  • Media Metadata Validation: Enhanced validation of video and audio metadata to prevent potential security vulnerabilities that could be exploited
  • YouTube Embed Security: Improved URL encoding of YouTube video IDs to prevent potential injection attacks and ensure proper sanitization

Performance Improvements

No specific performance improvements were highlighted in this release. WordPress 4.6.4 primarily focuses on security enhancements and bug fixes rather than performance optimizations.

Impact Summary

WordPress 4.6.4 is a security-focused maintenance release that addresses several important vulnerabilities. By implementing proper validation for video and audio metadata, enhancing plugin deletion security, improving redirect validation, and strengthening the Press This functionality, this update significantly improves the security posture of WordPress sites.

The YouTube video ID encoding improvement also enhances compatibility for embedded content, ensuring videos with special characters in their IDs display correctly. While this release doesn't introduce new features or performance improvements, the security enhancements are critical for protecting WordPress sites against potential exploits.

Site administrators should apply this update immediately to protect their websites from the security vulnerabilities addressed in this release. The update requires no special migration steps and can be applied through the standard WordPress update process.

Statistics:

File Changed10
Line Additions34
Line Deletions8
Line Changes42
Total Commits7

User Affected:

  • Enhanced security against potential exploits when deleting plugins
  • Improved protection against malicious redirects
  • Better security when using Press This functionality

Contributors:

jeremyfeltocean90aaroncampbelljohnbillionnylenSergeyBiryukov