WordPress Release: 4.7.7

TL;DR

WordPress 4.7.7 is a maintenance release that addresses two key issues: restoring support for numbered placeholders in wpdb::prepare() and fixing test cases for PHPUnit compatibility. This release ensures backward compatibility for plugins and themes that relied on the previously undocumented numbered placeholders feature, while also adding safety checks to prevent SQL injection vulnerabilities.

Highlight of the Release

• Restored support for numbered placeholders in wpdb::prepare() database queries
• Added extra validation to ensure correct number of arguments match placeholders in database queries
• Fixed test cases for PHPUnit compatibility

Migration Guide

No migration steps are required for this update. The changes restore previously available functionality and fix bugs without introducing breaking changes.

If you're a developer who was affected by the removal of numbered placeholders in wpdb::prepare(), your code should work again after updating to WordPress 4.7.7.

Upgrade Recommendations

This update is recommended for all WordPress 4.7.x users, especially for sites running plugins that may have relied on numbered placeholders in database queries. The update improves security by adding validation to database query preparation while maintaining compatibility with existing code.

As this is a maintenance release addressing specific bugs and compatibility issues, it's safe to update immediately.

Bug Fixes

Database Query Preparation Fix

• Restored support for numbered placeholders in wpdb::prepare() which was removed in a previous update
• Added additional validation to ensure the correct number of arguments are passed to wpdb::prepare() based on the number of placeholders
• This fix maintains backward compatibility for plugins and themes that relied on this undocumented but commonly used feature

Test Framework Fixes

• Fixed WP_UnitTestCase::setExpectedException() in Tests_Ajax_CompressionTest::test_logged_out() and Tests_Ajax_TagSearch::test_no_results() to correctly pass the $message argument
• Addressed an issue where PHPUnit 6.4.1 and earlier versions ignored the '0' value in tests

New Features

No new features were added in this maintenance release. The focus was on fixing compatibility issues and restoring previously available functionality.

Security Updates

Database Query Security Enhancements

The restoration of numbered placeholders in wpdb::prepare() was implemented with additional security checks that validate the number of arguments passed matches the number of placeholders in the query. This helps prevent potential SQL injection vulnerabilities that could occur when there's a mismatch between placeholders and provided values.

Performance Improvements

No specific performance improvements were included in this maintenance release.

Impact Summary

WordPress 4.7.7 is a targeted maintenance release that addresses two specific issues. The most significant change is the restoration of support for numbered placeholders in wpdb::prepare(), which had been removed in a previous update. This feature, though undocumented, was widely used by plugin and theme developers. The restoration comes with enhanced security checks to ensure the correct number of arguments are provided for the placeholders in queries.

The release also includes fixes for test cases to ensure proper compatibility with PHPUnit by correctly passing the message argument to setExpectedException().

These changes primarily impact developers using the WordPress database API and those running test suites. Site administrators will benefit from the improved security checks in database queries and the restored compatibility for plugins that may have been affected by the previous removal of numbered placeholders.