WordPress Release: 4.7.6

TL;DR

WordPress 4.7.6 is a security and maintenance release that addresses several important security vulnerabilities and includes various bug fixes. This update focuses on hardening WordPress against potential security threats, particularly in the database handling, URL validation, and file system operations. It also includes improvements to the editor, customizer, and oEmbed functionality.

This release is critical for all WordPress 4.7.x users as it patches multiple security issues that could potentially be exploited. The update also includes several build and test tool improvements to maintain compatibility with different PHP versions.

Highlight of the Release

• Multiple security enhancements to prevent potential vulnerabilities
• Hardened database operations through improved wpdb::prepare() handling
• Prevented adding javascript: and data: URLs through the inline link dialog
• Added extra validation for file paths during unzipping operations
• Improved URL escaping and encoding throughout the admin area

Migration Guide

No specific migration steps are required for this update. This is a security and maintenance release that should be applied immediately, but it doesn't introduce any breaking changes that would require code modifications in themes or plugins.

When updating to WordPress 4.7.6:

1. Back up your website files and database before updating
2. Update through the WordPress admin dashboard or via manual update
3. Test your website functionality after the update

If you're a developer who has been using wpdb::prepare() in ways that don't align with the documentation (using placeholders other than %s, %d, and %F), you may need to review and update your code.

Upgrade Recommendations

Immediate upgrade is strongly recommended for all WordPress 4.7.x users.

This release contains critical security fixes that address multiple vulnerabilities. Sites running WordPress 4.7.x should be updated immediately to protect against potential security threats.

The security team has addressed several important issues related to database operations, URL handling, and file system operations. These fixes are essential for maintaining the security of your WordPress installation.

This is a maintenance and security release, so the risk of compatibility issues with existing plugins and themes is minimal. However, as with any update, it's always recommended to:

1. Create a complete backup of your site before updating
2. Test the update on a staging environment if possible
3. Update all plugins and themes to their latest versions

Bug Fixes

Security and Bug Fixes

• Editor: Prevented adding javascript: and data: URLs through the inline link dialog to block potential XSS attacks.

• Taxonomy/Users:

  • Provided a fallback for incorrect HTTP referrers.
  • Used correct escaping function for URLs.

• Customize: Ensured valid themes in the preview to prevent potential security issues.

• TinyMCE: Improved the previews for shortcodes.

• oEmbed: Added extra hardening around allowed HTML for improved sandboxing.

• Filesystem API: Ensured filenames are valid before attempting to unzip them to prevent issues with malformed file paths.

• General: Added missing URL-encoding and extra hardening to plugin and template names when displayed in the admin area.

New Features

No significant new features were added in this release as it primarily focuses on security enhancements and bug fixes. The changes are mainly related to hardening existing functionality and improving security measures across various WordPress components.

Security Updates

• Database Hardening: Multiple improvements to wpdb::prepare():

  • Aligned behavior with documentation to only support %s, %d, and %F as placeholders
  • Prevented additional values from being processed when arrays are passed as placeholders
  • Improved handling of null values to prevent unexpected behavior
  • Added automatic escaping for non-placeholder percentage signs

• URL Security:

  • Blocked javascript: and data: URLs in the inline link dialog to prevent XSS attacks
  • Improved URL encoding and escaping for plugin and theme names in admin areas
  • Used correct escaping functions for URLs in taxonomy and user management screens

• File System Security:

  • Added validation for filenames before unzipping to prevent directory traversal attacks
  • Ensured file paths are properly sanitized during extraction operations

• Content Security:

  • Enhanced oEmbed sandboxing with improved HTML filtering
  • Added theme validation in the customizer preview

Performance Improvements

This release doesn't include specific performance improvements. The changes are primarily focused on security enhancements and bug fixes rather than performance optimizations.

Impact Summary

WordPress 4.7.6 is primarily a security-focused release that addresses multiple vulnerabilities across different components of the CMS. The most significant changes involve hardening the database layer through improvements to wpdb::prepare(), preventing malicious URL injections in the editor, and enhancing file system security during unzip operations.

For site administrators and content creators, this update provides important protection against potential security threats without changing the user experience or requiring workflow adjustments. The security enhancements are implemented in a way that maintains compatibility with existing functionality.

For developers, the most notable change is the stricter enforcement of wpdb::prepare() behavior to match its documentation. This might require code adjustments if you've been using this function with non-standard placeholders or in ways that don't align with the intended usage.

Overall, this release represents an important security update that should be applied immediately to all WordPress 4.7.x installations to maintain site security and integrity.