WordPress Release: 4.7.12

TL;DR

WordPress 4.7.12 Release: Security and Bug Fix Update

WordPress 4.7.12 is a security and maintenance release that addresses several important security vulnerabilities and improves the stability of WordPress 4.7. This update includes enhanced MIME file type verification, improved KSES security handling, fixes for multisite activation issues, and protection against unwanted post field manipulation. Site administrators are strongly encouraged to update immediately to protect their sites from potential security threats.

Highlight of the Release

• Enhanced security for MIME file type verification to prevent potential vulnerabilities
• Improved KSES security handling with conditional removal of <form> element from allowed post tags
• New wp_kses_uri_attributes function and filter for centralized management of URI attributes
• Better multisite user activation experience with improved messaging and validation
• Protection against unwanted post field manipulation by removing sensitive fields before saving

Migration Guide

This release does not require any specific migration steps for most users. Simply update to WordPress 4.7.12 through your dashboard or by downloading the update from WordPress.org.

For Developers:

If you have custom code that relies on the <form> element being allowed in $allowedposttags, be aware that this element is now conditionally removed. The element will be re-added automatically if your code has added <input> or <select> elements to $allowedposttags.

If you need to customize URI attributes for KSES filtering, you can now use the new wp_kses_uri_attributes filter instead of modifying the attributes directly in multiple locations.

Upgrade Recommendations

Immediate upgrade is strongly recommended for all sites running WordPress 4.7.x.

This release contains important security fixes that protect your site from potential vulnerabilities. The security team has addressed multiple issues related to file uploads, form handling, and post field manipulation that could be exploited if left unpatched.

The update process is straightforward and should not cause any disruption to your site's functionality. You can update through your WordPress dashboard or by downloading the update from WordPress.org.

For sites that cannot update immediately, consider implementing additional security measures such as a web application firewall until the update can be applied.

Bug Fixes

• Multisite Activation Issues: Fixed issues where users could attempt to activate a site multiple times, resulting in confusing messaging. Users now see the correct message if they follow an activation link a second time.

• Post Editor Field Handling: Resolved a security issue where meta_input, file, and guid fields could potentially be updated through user input when they were not intended to be.

• KSES Backward Compatibility: Addressed potential backward compatibility issues by conditionally re-adding the <form> element to $allowedposttags if a custom filter has added <input> or <select> elements.

New Features

and Enhancements

• Centralized URI Attributes Management: Introduction of the wp_kses_uri_attributes function and filter to centralize the list of URI attributes, preventing inconsistencies and allowing plugins to customize these attributes.

• Improved Multisite Activation Flow: Enhanced user experience in multisite installations with better messaging for previously activated users and prevention of multiple activation attempts.

• Conditional KSES Handling: More intelligent handling of allowed HTML tags with conditional removal of the <form> element from $allowedposttags while maintaining backward compatibility for custom implementations.

Security Updates

• Enhanced MIME File Type Verification: Improved the verification process for MIME file types to prevent potential security vulnerabilities related to file uploads.

• KSES Security Enhancements: Removed the <form> element from $allowedposttags by default to prevent potential cross-site scripting (XSS) vulnerabilities, while maintaining backward compatibility for custom implementations.

• Multisite Activation Link Validation: Added validation for activation links in multisite installations to prevent potential security issues.

• Protection Against Unwanted Post Field Manipulation: Removed the ability to update sensitive fields (meta_input, file, and guid) through user input in the post editor, preventing potential security vulnerabilities.

Performance Improvements

• DRY Implementation of URI Attributes: The new centralized approach to URI attributes in KSES handling reduces code duplication and improves maintainability.

• Optimized Multisite Activation Process: Streamlined the site activation process in multisite installations to prevent unnecessary repeated activation attempts.

Impact Summary

WordPress 4.7.12 is primarily a security-focused release that addresses several important vulnerabilities while also improving the user experience in multisite installations. The security enhancements focus on three key areas: file upload handling, HTML filtering via KSES, and protection against unwanted post field manipulation.

The KSES improvements are particularly notable, with the introduction of a centralized approach to URI attributes and more secure handling of form elements. These changes make WordPress more resistant to potential cross-site scripting (XSS) attacks while maintaining backward compatibility for custom implementations.

For multisite installations, the improved activation flow provides a better user experience with clearer messaging and validation of activation links. This prevents confusion and potential security issues related to multiple activation attempts.

The removal of the ability to update sensitive fields through user input in the post editor closes a potential security vulnerability that could have been exploited to manipulate post data in unintended ways.

Overall, this release significantly improves the security posture of WordPress 4.7 without introducing breaking changes or requiring complex migration steps.