WordPress Release: 4.8.13

TL;DR

WordPress 4.8.13 is a security and maintenance release that addresses several important security vulnerabilities and removes outdated test code. This update includes fixes for the Customizer to prevent JSON corruption, improved password security, query handling improvements, better cache API escaping, and enhanced UTF-8 filename support. This release is recommended for all WordPress 4.8 installations.

Highlight of the Release

• Security improvements in the Customizer to prevent JSON corruption
• Enhanced password security with automatic invalidation of activation keys on password updates
• Improved query handling to ensure proper results for date/time based queries
• Better support for UTF-8 characters in filenames
• Removal of outdated test code that no longer serves a purpose

Migration Guide

No specific migration steps are required for this update. This is a standard security and maintenance release that can be applied through the normal WordPress update process.

It's recommended to backup your site before updating, as with any WordPress update.

Upgrade Recommendations

Immediate Upgrade Recommended

This release contains several important security fixes that address potential vulnerabilities in WordPress 4.8. All users are strongly encouraged to update to WordPress 4.8.13 immediately.

If you're running an older version of WordPress, consider updating to the latest major version for access to new features and continued security updates.

Bug Fixes

Query Handling Improvements

Fixed an issue with date/time based queries to ensure that only a single post can be returned when appropriate, preventing potential duplicate results.

Cache API Escaping

Addressed proper escaping around the stats method in the Cache API to prevent potential security issues.

Customizer JSON Corruption Prevention

Added additional filters to the Customizer to prevent JSON corruption, ensuring more reliable operation of the Customizer interface.

New Features

Enhanced UTF-8 Support for Filenames

The sanitize_file_name function has been expanded to provide better support for UTF-8 characters in filenames. This improvement allows for more reliable handling of international characters when uploading and managing files.

Security Updates

User Password Security Enhancement

Improved password security by automatically invalidating the user_activation_key when a password is updated, preventing potential security vulnerabilities related to password reset functionality.

Customizer Security Filters

Added additional filters to the Customizer to prevent JSON corruption, which could potentially be exploited for security attacks.

Cache API Escaping

Ensured proper escaping around the stats method in the Cache API to prevent potential security vulnerabilities.

Performance Improvements

Test Code Cleanup

Removed unused test methods and outdated oEmbed tests for YouTube that no longer test anything WordPress core has control over. This cleanup helps maintain a cleaner and more efficient testing environment.

Impact Summary

WordPress 4.8.13 is primarily a security and maintenance release that addresses several potential vulnerabilities and improves the stability of WordPress 4.8. The security enhancements focus on password management, Customizer JSON handling, and proper escaping in the Cache API.

The release also includes improvements for developers and content creators, particularly with better UTF-8 character support in filenames and more reliable query handling for date/time based searches.

While this update doesn't introduce major new features, it's an important security release that all WordPress 4.8 users should apply promptly to maintain the security and stability of their websites.