HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

WordPress

>

Releases

>

4.9.11

WordPress Release: 4.9.11

Tag Name: 4.9.11

Release Date: 9/4/2019

View Release
WordPress LogoWordPress

World's most popular open-source content management system powering over 40% of all websites. Offers extensive plugin ecosystem, themes, and robust community support for blogs, e-commerce, and corporate websites. Highly customizable and scalable platform suitable for beginners and advanced developers.

Open SourceBloggingWebsite Builder

TL;DR

WordPress 4.9.11 is primarily a security and maintenance release that addresses several important security vulnerabilities and improves URL handling. This update includes fixes for URL validation, sanitization, and output escaping, along with a critical jQuery security patch backported from jQuery 3.4.0. The release also streamlines the CI testing infrastructure for the 4.9 branch to improve development efficiency.

Highlight of the Release

    • Security fixes for URL validation and sanitization
    • jQuery security patch backported from jQuery 3.4.0
    • Improved handling of rel attributes in links
    • Enhanced output escaping in attachment uploads

Migration Guide

No specific migration steps are required for this update. WordPress 4.9.11 is a maintenance and security release that should not break existing functionality.

To update:

  1. Back up your website before updating
  2. Update through the WordPress admin dashboard or download the update from wordpress.org
  3. If you're using a managed WordPress host, the update may be applied automatically

No database schema changes or template modifications are included in this release.

Upgrade Recommendations

Immediate upgrade is strongly recommended for all WordPress 4.9.x installations.

This release contains several important security fixes, including a jQuery security patch and improvements to URL validation and sanitization. These security enhancements protect against potential vulnerabilities that could be exploited if left unpatched.

The update process should be smooth with no expected compatibility issues. As always, backing up your site before updating is recommended as a best practice.

Bug Fixes

  • Fixed URL validation in wp_validate_redirect() to improve security and prevent potential redirect vulnerabilities
  • Removed _convert_urlencoded_to_entities() from the get_the_content() callback to fix content handling issues
  • Improved handling of existing rel attributes in wp_rel_nofollow_callback() to ensure proper attribute management
  • Fixed URL sanitization in wp_kses_bad_protocol_once() to prevent potential security issues
  • Added proper output escaping in wp_ajax_upload_attachment() to prevent potential XSS vulnerabilities

New Features

No significant new features were added in this release. WordPress 4.9.11 focuses on security improvements and bug fixes rather than introducing new functionality.

Security Updates

  • Improved URL validation in wp_validate_redirect() to prevent potential open redirect vulnerabilities
  • Enhanced URL sanitization in wp_kses_bad_protocol_once() to prevent potential security issues with malformed URLs
  • Added proper output escaping in wp_ajax_upload_attachment() to prevent potential XSS vulnerabilities
  • Backported security patch from jQuery 3.4.0 to address potential vulnerabilities in jQuery's manipulation of HTML content
  • Improved handling of the rel attribute in wp_rel_nofollow_callback() to ensure secure attribute management

Performance Improvements

  • Streamlined CI testing infrastructure for the 4.9 branch by removing unnecessary PHP version testing jobs (PHP 7.1, 7.0, 5.6, 5.5, 5.4, 5.3, and nightly builds)
  • Switched npm dependency caching strategy on Travis CI from caching node_modules to caching npm's local cache, preventing issues with modules compiled using different node versions
  • These CI improvements don't directly affect WordPress performance but improve development efficiency for the 4.9 branch

Impact Summary

WordPress 4.9.11 is primarily a security-focused maintenance release that addresses several important vulnerabilities without introducing new features or changing existing functionality. The security improvements focus on URL handling, validation, and sanitization, along with a critical jQuery security patch.

The most significant impact is the enhanced security posture for WordPress sites, particularly in how WordPress handles URLs and user-generated content. The jQuery security patch addresses potential vulnerabilities that could be exploited in certain circumstances.

For most users, this update will be invisible in terms of functionality changes but provides important security protections. Site administrators should update promptly to ensure their sites remain secure against the vulnerabilities addressed in this release.

Developers should note the changes to URL handling functions and the jQuery security patch if they have custom code that interacts with these components.

Statistics:

File Changed18
Line Additions76
Line Deletions132
Line Changes208
Total Commits11

User Affected:

  • Should update immediately to protect sites from security vulnerabilities
  • Will benefit from improved URL validation and sanitization
  • No visible changes to the admin interface or functionality

Contributors:

johnbillionSergeyBiryukovwhyisjakedesrosjazaozz