HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

WordPress

>

Releases

>

4.7.16

WordPress Release: 4.7.16

Tag Name: 4.7.16

Release Date: 12/12/2019

View Release
WordPress LogoWordPress

World's most popular open-source content management system powering over 40% of all websites. Offers extensive plugin ecosystem, themes, and robust community support for blogs, e-commerce, and corporate websites. Highly customizable and scalable platform suitable for beginners and advanced developers.

Open SourceBloggingWebsite Builder

TL;DR

WordPress 4.7.16 is a security release that addresses two important vulnerabilities: one related to user permissions when making posts sticky and another fixing a potential bypass in the wp_kses_bad_protocol() function that validates URI attributes. This release is crucial for maintaining the security of WordPress 4.7.x installations and all site administrators should update immediately.

Highlight of the Release

    • Fixed a security vulnerability related to user permissions for sticky posts
    • Patched a security issue in wp_kses_bad_protocol() that could allow bypassing URI attribute validation using HTML5 named entities
    • Improved overall security posture for WordPress 4.7.x installations

Migration Guide

No migration steps are required for this update. This is a straightforward security update that can be applied through the standard WordPress update process without any additional configuration changes or migration steps.

Upgrade Recommendations

Immediate update strongly recommended

All WordPress site administrators running version 4.7.x should update to version 4.7.16 immediately. This release contains important security fixes that address vulnerabilities which could potentially be exploited if left unpatched.

For sites on WordPress 4.7.x:

  • Update through your WordPress dashboard or via your preferred update method
  • No special upgrade procedures are required
  • The update is backward compatible and should not affect existing functionality

For sites on earlier versions:

  • Consider upgrading to a more recent branch of WordPress as the 4.7.x branch is quite old
  • If you cannot upgrade to a newer major version, at minimum apply this security update

For sites on newer versions:

  • No action is required as these fixes have been incorporated into more recent WordPress releases

Bug Fixes

Security Fixes

  1. Sticky Posts Permission Check

    • Fixed a vulnerability where proper permission validation was missing before allowing users to make posts sticky
    • Added verification that users have the publish_posts capability before they can make a post sticky
    • This prevents unauthorized users from potentially making posts sticky when they shouldn't have that ability

  2. URI Protocol Validation

    • Fixed a vulnerability in wp_kses_bad_protocol() function that validates URI attributes
    • Added recognition of the : HTML5 named entity in URI attributes
    • This prevents potential bypassing of security checks when validating protocols in URIs

New Features

No new features were introduced in this release. WordPress 4.7.16 is focused exclusively on security fixes for the 4.7 branch.

Security Updates

Security Vulnerabilities Addressed

  1. Sticky Post Permission Vulnerability

    • Fixed an issue where the system wasn't properly checking if a user had the publish_posts capability before allowing them to make a post sticky
    • This could potentially allow users with lower privileges to make posts sticky when they shouldn't have that permission
    • The fix ensures proper capability checks are in place before allowing sticky post functionality

  2. URI Protocol Validation Bypass

    • Patched a vulnerability in the wp_kses_bad_protocol() function that could be exploited using HTML5 named entities
    • The function now properly recognizes : in URI attributes as equivalent to a colon character
    • This prevents attackers from bypassing protocol validation by using HTML entity encoding
    • Without this fix, malicious users could potentially inject unauthorized protocols into URI attributes

Performance Improvements

No specific performance improvements were included in this release. The focus was entirely on addressing security vulnerabilities.

Impact Summary

WordPress 4.7.16 is a security-focused maintenance release that addresses two specific vulnerabilities. The first fix ensures proper permission checking before allowing users to make posts sticky, preventing potential privilege escalation issues. The second fix improves the security of the wp_kses_bad_protocol() function by enhancing its ability to recognize HTML5 named entities like : in URI attributes, preventing potential security bypasses.

These changes have minimal impact on normal site functionality but significantly improve the security posture of WordPress 4.7.x installations. No features were added or removed, and no changes to existing functionality were made beyond the security improvements. The update is backward compatible and should not cause any disruption to existing sites.

While WordPress 4.7.x is an older branch, this security update is important for sites that haven't yet upgraded to newer major versions. Site administrators should apply this update immediately to protect their installations from potential exploitation of these vulnerabilities.

Statistics:

File Changed6
Line Additions48
Line Deletions6
Line Changes54
Total Commits3

User Affected:

  • Need to update their WordPress installations to maintain security
  • Should ensure the update is applied promptly to prevent potential exploitation of the fixed vulnerabilities

Contributors:

SergeyBiryukov