WordPress Release: 4.7.3

TL;DR

WordPress 4.7.3 is a maintenance and security release that addresses multiple bugs and security vulnerabilities. This update includes fixes for the REST API, media handling, customizer improvements, and several security patches. It's important for all WordPress 4.7.x users to update immediately to ensure site security and stability.

Highlight of the Release

• Security fixes including validation of video/audio metadata and URL redirection
• REST API improvements for date handling, multisite users, and JavaScript client
• Media upload fixes for MIME type validation and PDF preview generation
• Customizer enhancements for edit shortcuts and auto-draft preservation

Migration Guide

This is a maintenance and security release that doesn't require any special migration steps. Simply update to WordPress 4.7.3 through your dashboard or via manual update.

If you're a developer who has been working with the REST API:

• Review your code that handles post dates, especially for draft posts
• Check any custom implementations using the http_api_curl filter
• If you're using the JavaScript client with custom namespaces, test your code after updating

For theme developers using the Customizer:

• Test your themes that use header videos with the new get_header_video_url filter
• Verify that any custom post types used in starter content work correctly

Upgrade Recommendations

Immediate upgrade recommended for all WordPress 4.7.x users.

This release contains important security fixes that protect your site from potential vulnerabilities. The update also addresses several bugs that improve the overall stability and functionality of WordPress.

The update process is straightforward and can be completed through your WordPress dashboard by going to Updates, or by downloading the release from wordpress.org and performing a manual update.

For multisite installations, network administrators should coordinate the update across all sites to ensure consistent security and functionality.

Bug Fixes

• REST API Fixes:

  • Fixed multiple issues with setting dates of posts and comments
  • Corrected behavior of sticky posts filter when no posts are sticky
  • Fixed parsing of body parameters for DELETE requests
  • Corrected handling of post formats even when not supported by the theme
  • Fixed issues with serving the REST API index with PATH_INFO
  • Corrected casting of revision author ID to int
  • Fixed JavaScript client to use _.extend when merging objects

• Media Handling:

  • Reduced failing uploads by using a more targeted approach to MIME validation
  • Fixed PDF preview generation to avoid overwriting existing files
  • Restored correct upload errors displaying
  • Reset Exif orientation after rotate in WP_Image_Editor_Imagick

• Customizer Fixes:

  • Fixed vertical clipping of thumbnails in header image customizer control
  • Ensured edit shortcuts get re-created for nested partials when a parent partial is refreshed
  • Fixed handling of non-HTTP(S) links in customizer preview
  • Ensured root values are accessible in multidimensional custom setting types
  • Updated customize.php URL with changeset_uuid parameter instantly when changes are made

• Other Fixes:

  • Restored backwards compatibility with the http_api_curl filter
  • Fixed wpautop() to stop adding paragraph tags around <figcaption>
  • Prevented empty feeds from returning 404 errors
  • Fixed issues in get_post_galleries() when processing empty gallery shortcodes
  • Prevented PHP warnings in wp_unique_filename() on PHP 7.1
  • Fixed notice thrown in class-walker-page.php
  • Corrected plugin deletion process with additional file checks
  • Fixed formatting of HTML entities in tag removal screen reader text

New Features

and Enhancements

• Customizer Improvements:

  • Added get_header_video_url filter for the return value of get_header_video_url()
  • Improved handling of custom post types in starter content
  • Extended auto-draft life of customize_changeset posts to prevent garbage collection

• REST API Enhancements:

  • Added the status property in view context responses from Posts endpoints
  • Improved JavaScript client with better route discovery for custom namespaces
  • Added comprehensive QUnit tests for wp-api.js with PHPUnit fixture generation

Security Updates

• Media Security: Added validation for video and audio metadata to prevent potential vulnerabilities
• URL Handling: Improved URL validation by stripping control characters before validating redirects
• Embeds: Enhanced YouTube video ID handling with URL encoding for broader compatibility and security
• Plugin Management: Added additional file checks to plugin deletions to prevent unauthorized access
• Press This: Verified intent before fetching in-page resources using Press This
• REST API: Fixed access control for users from different sites in multisite installations

Performance Improvements

• Optimized handling of auto-draft changesets in the Customizer to prevent unnecessary database operations
• Improved REST API response handling for better performance with large datasets
• Enhanced media handling with more efficient MIME type validation

Impact Summary

WordPress 4.7.3 is primarily a security and maintenance release that addresses multiple vulnerabilities and fixes several bugs across different components of WordPress. The security fixes include validation of media metadata, improved URL handling, and fixes for the REST API.

The most significant improvements are in the REST API, with fixes for date handling, multisite user access, and the JavaScript client. Media handling has been enhanced with better MIME type validation and PDF preview generation. The Customizer received several fixes for edit shortcuts, auto-draft preservation, and handling of custom post types in starter content.

For developers, the release restores backwards compatibility with the http_api_curl filter and improves the JavaScript client for the REST API. Content creators will benefit from fixes to gallery shortcodes, media uploads, and preservation of empty image alt attributes.

This release is essential for maintaining the security and stability of WordPress sites and should be applied promptly by all users running WordPress 4.7.x.