WordPress Release: 4.7.26

TL;DR

WordPress 4.7.26 is a security and maintenance release that addresses critical security vulnerabilities and improves testing infrastructure. This update includes fixes for CSRF in attachment thumbnails and protocol validation for WordPress Embed code, along with improvements to GitHub Actions workflows and internationalization support for end-of-life notifications.

Highlight of the Release

• Security fixes for CSRF vulnerability in attachment thumbnails
• Added protocol validation for WordPress Embed code
• Improved testing infrastructure with refactored HTTP API tests
• Added internationalization support for end-of-life notifications
• Modernized GitHub Actions workflows with automatic retry capabilities

Migration Guide

No specific migration steps are required for this release. This is a security and maintenance update that can be applied through the standard WordPress update process.

If you're developing plugins or themes that interact with attachment thumbnails or WordPress embeds, you may want to review your code to ensure compatibility with the security fixes in this release.

Upgrade Recommendations

Immediate Update Recommended

This release contains important security fixes. All WordPress site administrators should update to version 4.7.26 immediately.

The standard WordPress update process can be used:

1. Back up your website files and database
2. Update through the WordPress admin dashboard (Dashboard → Updates)
3. Alternatively, download the update from WordPress.org and install manually

If you're on a managed WordPress hosting platform, your host may apply this update automatically.

Bug Fixes

HTTP API Improvements

• Refactored and re-enabled existing test for WP_HTTP::handle_redirects() to call the method directly with a mocked array of HTTP headers containing multiple location headers.
• Moved test from the external-http group to the http test group as it no longer makes an HTTP request.
• Removed wordpress.org as an external dependency for testing HTTP redirects.

New Features

Internationalization Improvements

• Added new translatable strings to about.php for end-of-life notifications when releasing final versions of WordPress on a particular branch.

Testing Infrastructure Enhancements

• Modernized GitHub Actions workflows with support for automatic retries of failed workflows.
• Removed dependency on wordpress.org for HTTP API testing, making tests more reliable and self-contained.

Security Updates

Critical Security Fixes

• Media: Fixed a CSRF vulnerability in setting attachment thumbnails that could potentially allow unauthorized changes to media files.
• Embeds: Added protocol validation for WordPress Embed code to prevent potential security issues with malformed URLs.

Performance Improvements

GitHub Actions Workflow Improvements

• Updated GitHub Actions workflows to address deprecated notices related to save-output and set-output.
• Added support for automatically retrying failed workflows once, improving CI reliability.
• Removed workflow files not applicable to the branch.
• Backported Docker environment related tooling updates for consistency across branches.

Impact Summary

WordPress 4.7.26 is primarily a security release that addresses critical vulnerabilities in media handling and embeds. It fixes a CSRF vulnerability in attachment thumbnails and adds protocol validation for WordPress Embed code.

The release also includes significant improvements to the testing infrastructure, particularly in the HTTP API tests which no longer depend on external services. This makes the test suite more reliable and self-contained.

For internationalization, new strings have been added to support end-of-life notifications when a WordPress branch reaches its final version.

The GitHub Actions workflows have been modernized with support for automatic retries and updated to address deprecated features, ensuring continued reliability of the CI/CD pipeline.

While this is a maintenance release for the 4.7 branch, the security fixes are critical, making this an important update for all WordPress installations still running version 4.7.x.