WordPress Release: 4.8.7

TL;DR

WordPress 4.8.7 is a security release that addresses a vulnerability in the media handling system. This update limits thumbnail file deletions to the same directory as the original file, preventing potential unauthorized file deletion outside the intended directory structure. This is an important security fix that all WordPress 4.8.x users should apply immediately to protect their sites from potential exploitation.

Highlight of the Release

• Security fix for media thumbnail deletion vulnerability
• Limits thumbnail file deletions to the same directory as the original file
• Prevents potential unauthorized file deletion outside the media directory

Migration Guide

No migration steps are required for this update. This is a direct security fix that doesn't change any APIs or user-facing functionality. Simply update to WordPress 4.8.7 through your admin dashboard or via manual update.

Upgrade Recommendations

Immediate Upgrade Recommended

This release contains an important security fix. All WordPress sites running version 4.8.x should be updated immediately to version 4.8.7.

You can update through your WordPress admin dashboard by going to Dashboard → Updates and clicking "Update Now," or you can download the release directly from WordPress.org and perform a manual update.

If you are on WordPress 4.9 or later, you are not affected by this specific vulnerability as it has already been addressed in those versions.

Bug Fixes

Media Thumbnail Deletion Security Fix

Fixed a vulnerability in the media handling system that could potentially allow thumbnail file deletions outside the intended directory. The update ensures that thumbnail file deletions are strictly limited to the same directory as the original file, preventing unauthorized file deletion in other parts of the system.

New Features

No new features were introduced in this security maintenance release. WordPress 4.8.7 focuses exclusively on addressing a security vulnerability in the media handling system.

Security Updates

Media File Deletion Vulnerability

Fixed a security vulnerability in the media handling system that could potentially allow thumbnail file deletions outside the intended directory structure. This could have been exploited to delete files in other parts of the WordPress installation. The fix ensures that thumbnail file deletions are strictly limited to the same directory as the original file, preventing potential unauthorized file deletion attacks.

Performance Improvements

No specific performance improvements were included in this release. WordPress 4.8.7 is focused on addressing a security vulnerability rather than performance enhancements.

Impact Summary

WordPress 4.8.7 addresses a significant security vulnerability in the media handling system that could potentially allow unauthorized file deletion. By limiting thumbnail file deletions to the same directory as the original file, this update closes a security hole that could have been exploited to delete files outside the media directory structure.

This is a targeted security release with minimal code changes (117 changes across 5 files), focusing exclusively on fixing the identified vulnerability without introducing new features or other changes. The security improvement enhances the overall integrity of WordPress installations by preventing potential attacks that could exploit the media deletion functionality.

For site administrators, this update is critical to maintain the security of WordPress installations. The fix is transparent to end users and doesn't change any user-facing functionality or workflows.