WordPress Release: 4.8.21

TL;DR

WordPress 4.8.21: Security Maintenance Release

This maintenance release includes multiple security fixes and introduces new strings to indicate security support status for WordPress versions. The update addresses several vulnerabilities related to content sanitization, input validation, and potential XSS issues across various WordPress components including post-by-email, comments, widgets, and the REST API. This release is critical for maintaining the security of WordPress 4.8 installations.

Highlight of the Release

• Introduction of strings to indicate security support status for WordPress versions
• Multiple security fixes across core WordPress components
• Enhanced content sanitization for post-by-email, comments, and trackbacks
• Improved input validation in multiple areas including the REST API and WP_Date_Query
• Better security for the WordPress Customizer and widgets

Migration Guide

No specific migration steps are required for this security maintenance release. Site administrators should update to WordPress 4.8.21 as soon as possible to ensure their sites are protected against the security vulnerabilities addressed in this release.

The new strings for security support status are being introduced for future use and do not require any immediate action from users or developers.

Upgrade Recommendations

Immediate Upgrade Recommended

All WordPress 4.8.x sites should be updated to version 4.8.21 immediately. This security maintenance release addresses multiple vulnerabilities that could potentially be exploited if left unpatched.

For optimal security and feature support, consider upgrading to the latest major version of WordPress if your site's plugins and themes are compatible. WordPress 4.8 is an older branch and will eventually reach end-of-life for security support.

The introduction of security support status strings in this release indicates that the WordPress security team is preparing for potential changes in the support status of older versions, making it even more important to plan for upgrading to a more recent major version.

Bug Fixes

Security Vulnerabilities Fixed

• Post-by-Email:

  • Applied KSES filtering to post-by-email content to prevent potential XSS attacks
  • Removed email addresses from post-by-email logs to enhance privacy

• Comments and Trackbacks:

  • Applied KSES filtering to all trackbacks to prevent malicious content
  • Enhanced security when editing comments with proper content sanitization

• Admin Interface:

  • Validated host on the "Are you sure?" confirmation screen
  • Refactored media search by filename within the admin area for better security

• Customizer and Widgets:

  • Escaped blogname option in underscores templates
  • Properly escaped RSS error messages for display in widgets

• REST API:

  • Improved security for the terms endpoint by locking down post parameters

• Core Functionality:

  • Reset PHPMailer properties between uses to prevent information leakage
  • Added validation for relation parameter in WP_Date_Query

New Features

New Support Status Indicators

• Added new translatable strings to indicate when a WordPress version is no longer receiving security updates
• Added strings to notify users when a WordPress version will shortly stop receiving security updates
• These strings are being made available to translators in preparation for future maintenance releases

Security Updates

Comprehensive Security Enhancements

This release includes multiple security fixes addressing various vulnerabilities:

• Content Sanitization Improvements:

  • Enhanced KSES filtering applied to post-by-email content
  • Improved sanitization for trackbacks and comments
  • Better escaping of user-generated content in multiple areas

• Input Validation:

  • Added host validation on confirmation screens
  • Implemented parameter validation in the REST API terms endpoint
  • Added relation validation in WP_Date_Query

• XSS Prevention:

  • Properly escaped blogname in underscores templates
  • Escaped RSS error messages in widgets
  • Improved sanitization across multiple admin interfaces

• Privacy Enhancements:

  • Removed email addresses from post-by-email logs
  • Reset PHPMailer properties between uses to prevent information leakage

These fixes address potential vulnerabilities that could be exploited for cross-site scripting attacks, information disclosure, or other security issues.

Performance Improvements

No specific performance improvements were mentioned in this security maintenance release. The focus was primarily on addressing security vulnerabilities and introducing support status indicators.

Impact Summary

WordPress 4.8.21 is a critical security maintenance release that addresses multiple vulnerabilities across various WordPress components. The release focuses on improving content sanitization, input validation, and preventing potential XSS attacks in features like post-by-email, comments, trackbacks, the REST API, and widgets.

Additionally, this release introduces new strings to indicate security support status, which will be used in future maintenance releases to notify users when a WordPress version is no longer receiving security updates or will soon stop receiving them. This preparation suggests that the WordPress security team may be planning changes to the support lifecycle of older WordPress versions.

While this update doesn't introduce new features or performance improvements, it's essential for maintaining the security of WordPress 4.8 installations. Site administrators should apply this update immediately to protect their sites from potential security threats.