WordPress Release: 4.8.15

TL;DR

WordPress 4.8.15 is a security and maintenance release that addresses several important security vulnerabilities and includes bug fixes. This update improves security in XML-RPC, embeds, meta handling, and theme functionality while also enhancing backward compatibility for screen options and fixing PDF test issues. All WordPress site owners should update immediately to protect their sites from potential security threats.

Highlight of the Release

• Multiple security enhancements for XML-RPC, embeds, and meta handling
• Improved backward compatibility for screen options in admin screens
• Better error messages for unprivileged users in XML-RPC
• Disabled embeds on deactivated Multisite sites
• Enhanced sanitization of meta keys before checking protection status

Migration Guide

No specific migration steps are required for this update. This is a standard security and maintenance release that should be applied through the normal WordPress update process.

To update:

1. Back up your website before updating
2. Update through the WordPress admin dashboard or via your preferred method
3. Test your site functionality after the update is complete

Upgrade Recommendations

Immediate Update Recommended

This release contains important security fixes that protect your WordPress site from potential vulnerabilities. All WordPress site owners should update to version 4.8.15 immediately.

The update process should be smooth and without complications as this is primarily a security and maintenance release with no major feature changes or breaking changes.

Bug Fixes

Administration

• Fixed backward compatibility issues with screen options by passing the result of set-screen-option filter to the new set_screen_option_{$option} filter
• Renamed the $keep parameter to $screen_option in both filters for better clarity
• Updated documentation to better reflect the purpose of these filters

Testing

• Added temporary skipping of PDF tests if they fail due to ImageMagick permission errors

XML-RPC

• Improved error messages for unprivileged users
• Fixed error handling when attachment ID is incorrect

Installation

• Enhanced logic check when determining installation status

New Features

New Filter for Screen Options

A new set_screen_option_{$option} filter has been added to ensure backward compatibility when handling screen options in the admin area. This complements the existing set-screen-option filter and provides more granular control over specific screen options.

Security Updates

Security Enhancements

• XML-RPC: Improved error messages for unprivileged users to prevent information disclosure
• External Libraries: Disabled deserialization in Requests_Utility_FilteredIterator to prevent potential object injection vulnerabilities
• Embeds: Disabled embeds on deactivated Multisite sites to prevent potential misuse
• Escaping Functions: Modified to avoid potential false positives that could lead to security issues
• Meta Handling: Enhanced sanitization of meta keys before checking protection status
• Theme Background Images: Ensured that only privileged users can set background images when a theme is using the deprecated custom background page

Performance Improvements

No significant performance improvements were included in this release. The focus was primarily on security enhancements and bug fixes.

Impact Summary

WordPress 4.8.15 is primarily a security-focused release that addresses several vulnerabilities and improves the overall security posture of WordPress sites. The changes focus on hardening XML-RPC functionality, preventing potential object injection attacks, improving meta handling security, and ensuring proper access controls for theme features.

For developers, the release provides better backward compatibility through the new screen option filter system and improved parameter naming for clarity. The update also enhances error handling in various components and fixes issues with PDF tests that were failing due to ImageMagick permission errors.

This release is particularly important for multisite installations as it disables embeds on deactivated sites, closing a potential security gap. Overall, while the changes are mostly under-the-hood, they significantly improve the security and stability of WordPress installations.