WordPress Release: 4.7.17

TL;DR

WordPress 4.7.17 is a security and maintenance release that addresses several important security vulnerabilities and includes code cleanup. This update focuses on preventing JSON corruption in the Customizer, improving user security by invalidating activation keys on password updates, fixing query issues with date/time-based searches, enhancing cache API escaping, and improving UTF-8 character support in file names. The release also removes outdated test code that no longer serves its original purpose.

Highlight of the Release

• Security improvements to prevent JSON corruption in the Customizer
• Enhanced user security by invalidating activation keys on password updates
• Fixed query handling to ensure single post returns on date/time-based searches
• Improved UTF-8 character support in file name sanitization
• Proper escaping in the cache API stats method

Migration Guide

No specific migration steps are required for this update. WordPress 4.7.17 is a maintenance and security release that should be compatible with existing sites running WordPress 4.7.x.

It is recommended to back up your site before updating, as with any WordPress update, but no special migration procedures are needed.

Upgrade Recommendations

This release contains important security fixes, so it is strongly recommended that all WordPress 4.7.x sites be updated to version 4.7.17 immediately.

However, it's important to note that WordPress 4.7 is an older branch that is no longer receiving regular updates. For optimal security and feature support, sites should consider upgrading to the latest WordPress version (beyond 4.7.x) as soon as possible.

Bug Fixes

• Query Handling: Fixed an issue where date/time-based queries could return multiple posts when only a single post should be returned.
• File Name Sanitization: Enhanced sanitize_file_name() function to better support UTF-8 characters, improving handling of non-Latin characters in uploaded file names.
• Test Code Cleanup: Removed unused ::assertPostHasTerms() method from tests/term.php as the associated test was previously removed.

New Features

No significant new features were added in this release. WordPress 4.7.17 is primarily a security and maintenance release that focuses on fixing vulnerabilities and improving existing functionality.

Security Updates

• Customizer Protection: Added additional filters to the Customizer to prevent potential JSON corruption, which could lead to security vulnerabilities.
• User Authentication: Enhanced security by ensuring that user activation keys are invalidated when passwords are updated, preventing potential unauthorized access.
• Cache API Security: Improved escaping around the stats method in the cache API to prevent potential security issues.
• oEmbed Tests: Removed external oEmbed tests for YouTube that no longer test anything WordPress core has control over, reducing potential security surface area.

Performance Improvements

No specific performance improvements were highlighted in this release. The changes were primarily focused on security enhancements and bug fixes rather than performance optimizations.

Impact Summary

WordPress 4.7.17 is primarily a security-focused maintenance release that addresses several important vulnerabilities. The update improves security in the Customizer by preventing JSON corruption, enhances user authentication security by invalidating activation keys on password updates, and fixes potential issues in the cache API through proper escaping.

The release also includes improvements to query handling for date/time-based searches and better support for UTF-8 characters in file names, which will benefit content creators working with non-Latin alphabets.

While this update is important for sites still running WordPress 4.7.x, it's worth noting that this branch is quite old and no longer receiving regular updates. Site owners should consider upgrading to a more recent WordPress version for continued security updates and feature improvements.