WordPress Release: 4.8.12
Tag Name: 4.8.12
Release Date: 12/12/2019
WordPressWorld's most popular open-source content management system powering over 40% of all websites. Offers extensive plugin ecosystem, themes, and robust community support for blogs, e-commerce, and corporate websites. Highly customizable and scalable platform suitable for beginners and advanced developers.
TL;DR
WordPress 4.8.12 is a security-focused maintenance release that addresses two important vulnerabilities: one related to user permissions when making posts sticky and another fixing a potential bypass of the wp_kses_bad_protocol() function that could allow malicious protocols in URI attributes. This release strengthens WordPress's security posture by closing these potential exploit vectors.
Highlight of the Release
- Fixed permission validation for making posts sticky
- Enhanced security in
wp_kses_bad_protocol()to recognize:in URI attributes - Improved protection against potential security exploits
Migration Guide
No migration steps are required for this update. This is a straightforward security release that can be applied without any special considerations.
Upgrade Recommendations
Immediate Upgrade Recommended
This release contains important security fixes that address potential vulnerabilities in WordPress. All WordPress site owners should update to version 4.8.12 immediately to protect their sites from these security issues.
For sites on managed WordPress hosting, many providers may automatically apply this update. However, site owners should verify that the update has been applied.
Bug Fixes
Permission Validation for Sticky Posts
Fixed an issue where WordPress wasn't properly checking if a user had the publish_posts capability before allowing them to make a post sticky. This ensures that only users with appropriate permissions can perform this action.
URI Protocol Validation Enhancement
Updated the wp_kses_bad_protocol() function to recognize and properly handle the HTML5 named entity : in URI attributes. This prevents potential security bypasses where malicious protocols could be injected using this entity encoding.
New Features
No new features were introduced in this release as it focuses exclusively on security fixes.
Security Updates
Sticky Post Permission Check
Added proper validation to ensure that a user has the publish_posts capability before they can make a post sticky, preventing potential privilege escalation.
URI Protocol Validation Enhancement
Fixed a security vulnerability in wp_kses_bad_protocol() where attackers could potentially bypass protocol validation by using the HTML5 named entity : in URI attributes. This could have allowed injection of disallowed protocols, potentially leading to XSS or other attacks.
Performance Improvements
No specific performance improvements were included in this release as it focuses on security fixes.
Impact Summary
WordPress 4.8.12 is a security-focused maintenance release that addresses two specific vulnerabilities:
-
A permission validation issue where WordPress wasn't properly checking if users had the
publish_postscapability before allowing them to make posts sticky. -
A potential security bypass in the
wp_kses_bad_protocol()function that could allow attackers to inject malicious protocols in URI attributes by using the HTML5 named entity:.
While these changes are minimal in terms of code modifications (48 additions, 6 deletions across 6 files), they have significant security implications. The release doesn't introduce any new features or change existing functionality, focusing solely on closing these security gaps.
Site owners should update immediately to protect their WordPress installations from potential exploits targeting these vulnerabilities.
Statistics:
User Affected:
- Enhanced security for site administration with fixed permission checks for sticky posts
- Improved protection against potential security exploits in URI attributes
Contributors:
