HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

WordPress

>

Releases

>

4.8.3

WordPress Release: 4.8.3

Tag Name: 4.8.3

Release Date: 10/31/2017

View Release
WordPress LogoWordPress

World's most popular open-source content management system powering over 40% of all websites. Offers extensive plugin ecosystem, themes, and robust community support for blogs, e-commerce, and corporate websites. Highly customizable and scalable platform suitable for beginners and advanced developers.

Open SourceBloggingWebsite Builder

TL;DR

WordPress 4.8.3 is a security and maintenance release that addresses a critical SQL injection vulnerability in wpdb::prepare() while restoring support for numbered placeholders. It also includes PHP 7.2 compatibility improvements for testing tools.

This release is crucial for all WordPress site owners as it patches a security vulnerability that could allow attackers to compromise your site. The fix restores functionality that many plugins and themes rely on while ensuring proper security measures are in place.

Highlight of the Release

    • Security fix for SQL injection vulnerability in wpdb::prepare()
    • Restoration of numbered placeholders support in wpdb::prepare()
    • PHP 7.2 compatibility improvements for testing tools
    • Additional validation to ensure correct number of arguments in database queries

Migration Guide

No specific migration steps are required for this update. However, developers should note:

  1. If you were affected by the removal of numbered placeholders in wpdb::prepare(), this update restores that functionality
  2. Ensure that your code passes the correct number of arguments to wpdb::prepare() based on the number of placeholders in your queries
  3. If you're using PHP 7.2 for development/testing, the testing framework should now work correctly with the updated WP_PHPUnit_Util_Getopt class

Upgrade Recommendations

Immediate Update Strongly Recommended

This is a security release that addresses a critical SQL injection vulnerability. All WordPress site owners should update to version 4.8.3 immediately.

The update process is standard:

  1. Back up your website files and database
  2. Update through the WordPress dashboard or download the update and install it manually
  3. Test your site functionality after updating

If you're using plugins or themes that might rely on wpdb::prepare() with numbered placeholders, this update should restore compatibility while maintaining security.

Bug Fixes

Database Query Preparation Fix

  • Restored support for numbered placeholders in wpdb::prepare() which were removed in a previous update but were widely used by plugins and themes
  • Added additional validation to ensure the correct number of arguments are passed to wpdb::prepare() based on the number of placeholders in the query
  • Restored support for a subset of placeholder formatting options

Testing Framework Fixes

  • Updated the WP_PHPUnit_Util_Getopt class to be compatible with PHP 7.2 by removing usage of the deprecated each() function
  • Fixed the $message argument handling in WP_UnitTestCase::setExpectedException() for the test cases Tests_Ajax_CompressionTest::test_logged_out() and Tests_Ajax_TagSearch::test_no_results()

New Features

No new features were introduced in this maintenance release. The focus was on security fixes and compatibility improvements.

Security Updates

Critical SQL Injection Vulnerability Fix

WordPress 4.8.3 addresses a critical security issue with wpdb::prepare() that could lead to potential SQL injection attacks. The update adds additional validation to ensure that the correct number of arguments are being passed to wpdb::prepare() based on the number of placeholders in the query.

This fix is particularly important as it balances security with backward compatibility by restoring support for numbered placeholders while ensuring they're used safely.

Performance Improvements

No specific performance improvements were included in this release. The focus was on security fixes and compatibility improvements.

Impact Summary

WordPress 4.8.3 is primarily a security release that fixes a critical SQL injection vulnerability in the database query preparation system. The update strikes a balance between security and backward compatibility by restoring support for numbered placeholders in wpdb::prepare() while adding validation to ensure they're used safely.

This release is particularly important for sites running plugins or themes that relied on the previously undocumented but widely used numbered placeholder functionality. The security fix ensures that database queries are properly sanitized while maintaining compatibility with existing code.

Additionally, the release includes PHP 7.2 compatibility improvements for WordPress testing tools, which is beneficial for developers working with newer PHP versions. These changes remove usage of deprecated PHP functions like each() and fix argument handling in test cases.

Overall, this is a crucial update that all WordPress sites should implement immediately to protect against potential security threats while ensuring continued compatibility with the WordPress plugin ecosystem.

Statistics:

File Changed15
Line Additions584
Line Deletions56
Line Changes640
Total Commits5

User Affected:

  • Need to update their WordPress installations immediately to protect against the SQL injection vulnerability
  • Should check that plugins and themes continue to function properly after the update

Contributors:

johnbillionpentoswissspidy