WordPress Release: 4.7.19

TL;DR

WordPress 4.7.19 is a security and maintenance release that addresses several important security vulnerabilities and includes bug fixes to improve the stability and reliability of the platform. This update focuses on enhancing security across multiple components including XML-RPC, embeds, and meta handling, while also improving error messages and fixing screen option handling in the admin area. All WordPress 4.7 users should update immediately to protect their sites from potential security threats.

Highlight of the Release

• Multiple security enhancements across XML-RPC, embeds, and meta handling
• Improved error messages for XML-RPC functionality
• Enhanced screen option handling in admin interfaces
• Disabled embeds on deactivated Multisite sites
• Better protection for theme background image settings

Migration Guide

No specific migration steps are required for this update. This is a standard security and maintenance release that should be applied through the normal WordPress update process. After updating, site administrators should test their sites to ensure all functionality continues to work as expected, particularly if they rely heavily on XML-RPC functionality or have custom code that interacts with screen options in the admin area.

Upgrade Recommendations

Immediate upgrade recommended for all WordPress 4.7.x users.

This release contains important security fixes that protect your site from potential vulnerabilities. Given the security-focused nature of this update, all WordPress 4.7.x site owners should update to version 4.7.19 as soon as possible.

For sites on WordPress 4.8 or newer, you should already be on a more recent branch with these security fixes applied. However, if you're still running WordPress 4.7.x, updating to 4.7.19 is critical for maintaining site security.

Bug Fixes

Administration

• Fixed screen option handling to ensure backward compatibility by passing the result of the set-screen-option filter to the new set_screen_option_{$option} filter
• Renamed the $keep parameter to $screen_option in both filters for better clarity
• Updated documentation to better reflect the purpose of these parameters

Tests

• Temporarily skipped PDF tests when they fail due to ImageMagick permission errors to prevent false test failures

Installation

• Improved logic check when determining installation status for more reliable WordPress setup

New Features

WordPress 4.7.19 introduces a new filter set_screen_option_{$option} to ensure backward compatibility when handling screen options in the admin area. This provides developers with more granular control over specific screen options while maintaining compatibility with existing code that uses the general set-screen-option filter.

Security Updates

XML-RPC

• Improved error messages for unprivileged users to prevent information disclosure
• Fixed handling of incorrect attachment IDs to return proper error messages
• Enhanced overall security of the XML-RPC system

External Libraries

• Disabled deserialization in Requests_Utility_FilteredIterator to prevent potential security vulnerabilities

Embeds

• Disabled embeds on deactivated Multisite sites to prevent potential security issues

Meta

• Improved sanitization of meta keys before checking protection status

Themes

• Enhanced security for theme background image settings to ensure only privileged users can set background images when a theme uses the deprecated custom background page

Coding Standards

• Modified escaping functions to avoid potential false positives that could lead to security vulnerabilities

Performance Improvements

No specific performance improvements were highlighted in this release.

Impact Summary

WordPress 4.7.19 is primarily a security-focused release that addresses several important vulnerabilities across multiple components of the platform. The update strengthens security in XML-RPC handling, embeds functionality, meta data processing, and theme background image settings.

The release also improves backward compatibility for screen option handling in the admin area, providing developers with more granular control through a new filter while maintaining compatibility with existing code.

For site administrators, this update enhances overall site security and improves error handling, particularly for XML-RPC functionality. The changes to embeds on deactivated Multisite sites provide additional security for network administrators.

While this release doesn't introduce major new features, its security enhancements are critical for maintaining the integrity and security of WordPress 4.7.x installations. The improvements to error messages and handling also contribute to a better user experience and more reliable operation of the platform.