WordPress Release: 4.6.7

TL;DR

WordPress 4.6.7 is a security and maintenance release that addresses several important security vulnerabilities and includes various improvements to the WordPress core. This update focuses on hardening the database layer, improving URL handling, enhancing security in the editor, and fixing issues with file handling and oEmbed functionality.

This release is critical for all WordPress site owners as it patches multiple security vulnerabilities that could potentially be exploited. The update includes important security fixes for wpdb::prepare(), URL handling, file path validation, and improves sandboxing for embedded content.

Highlight of the Release

• Security hardening for wpdb::prepare() to prevent SQL injection vulnerabilities
• Prevention of adding javascript: and data: URLs through the inline link dialog
• Improved file path validation to prevent directory traversal attacks
• Enhanced HTML sandboxing for oEmbed content
• Better URL encoding and hardening for plugin and template names in admin areas

Migration Guide

Migration Notes for WordPress 4.6.7

For Developers Using wpdb::prepare()

The changes to wpdb::prepare() bring its behavior in line with documentation but may affect existing code:

1. Array Handling: When passing an array of values for placeholders, additional values will now be ignored.
2. Placeholder Support: Only %s, %d, and %F are supported as placeholders. Any other non-escaped % will be escaped.
3. Null Values: While null values are still not officially supported, the function will no longer trigger _doing_it_wrong() for null values.

Review any code that uses wpdb::prepare() to ensure it follows these guidelines:

// Correct usage:
$wpdb->prepare("SELECT * FROM table WHERE column = %s", $value);

// Incorrect usage that may now behave differently:
$wpdb->prepare("SELECT * FROM table WHERE column = %s AND other_column = %", $value1, $value2);

For Plugin Developers

If your plugin relies on specific behavior of the functions modified in this release, particularly around URL handling, file path validation, or database queries, you should test thoroughly after upgrading.

Upgrade Recommendations

Immediate upgrade is strongly recommended for all WordPress installations.

This release contains critical security fixes that address multiple vulnerabilities. Sites running WordPress 4.6.x should update to version 4.6.7 as soon as possible to protect against potential security threats.

The security fixes in this release address:

• SQL injection vulnerabilities
• XSS (Cross-Site Scripting) vulnerabilities
• Directory traversal attacks
• Content injection vulnerabilities

These security issues affect core WordPress functionality and could potentially be exploited if left unpatched. The update process is straightforward and should not cause any disruption to your site's functionality.

Bug Fixes

Security and Bug Fixes

• Database Layer Hardening: Multiple fixes to wpdb::prepare() to:

  • Prevent SQL injection vulnerabilities
  • Ignore additional values when arrays are passed as placeholders
  • Avoid triggering _doing_it_wrong() for null values
  • Ensure proper escaping of percentage signs in query strings

• URL and Path Handling:

  • Fixed issues with URL encoding and hardening for plugin and template names in admin areas
  • Improved URL escaping in taxonomy and user management
  • Added fallback for incorrect HTTP referrers in taxonomy and user management

• Editor Security:

  • Prevented adding potentially malicious javascript: and data: URLs through the inline link dialog

• File System Security:

  • Enhanced validation of filenames before unzipping to prevent directory traversal attacks

• Customizer Improvements:

  • Fixed issue to ensure only valid themes are used in the customizer preview

• oEmbed Security:

  • Added extra hardening around allowed HTML for improved sandboxing of embedded content

New Features

No significant new features were added in this release as it primarily focuses on security fixes and maintenance improvements. The changes are mainly related to hardening existing functionality and addressing security vulnerabilities.

Security Updates

• SQL Injection Prevention: Multiple hardening measures for wpdb::prepare() to prevent SQL injection vulnerabilities by ensuring proper handling of placeholders and escaping.

• XSS Protection:

  • Prevented adding potentially malicious javascript: and data: URLs through the inline link dialog
  • Added URL-encoding and extra hardening to plugin and template names when displayed in admin areas
  • Improved URL escaping in taxonomy and user management

• Directory Traversal Prevention: Enhanced validation of filenames before unzipping to prevent directory traversal attacks that could allow access to unauthorized files.

• Content Injection Prevention: Added extra hardening around allowed HTML for oEmbed content to improve sandboxing and prevent potential content injection attacks.

• Theme Validation: Ensured only valid themes are used in the customizer preview to prevent potential security issues.

Performance Improvements

This release does not include specific performance improvements. The changes are primarily focused on security enhancements and bug fixes rather than performance optimizations.

Impact Summary

WordPress 4.6.7 is primarily a security-focused release that addresses several important vulnerabilities in the WordPress core. The most significant changes involve hardening the database layer through improvements to the wpdb::prepare() function, which helps prevent SQL injection attacks.

The release also enhances security around URL handling, particularly by preventing potentially malicious URLs (like javascript: and data: URLs) from being added through the editor. File system security is improved with better validation of filenames before unzipping, which prevents directory traversal attacks.

For developers, the most notable impact is the stricter enforcement of wpdb::prepare() behavior to match documentation. This may require code review for plugins and themes that use this function, especially if they rely on undocumented behavior.

Site administrators benefit from overall improved security posture without any negative impact on site performance or functionality. Content creators will notice improved shortcode previews in TinyMCE and enhanced security when working with links and embedded content.

This release demonstrates WordPress's commitment to security by proactively addressing vulnerabilities and hardening core functionality against potential attacks.