WordPress Release: 4.9.12

TL;DR

WordPress 4.9.12 is a security and maintenance release that addresses several important vulnerabilities and adds Node.js version management support. This update includes fixes for potential security issues in the HTTP API, Filesystem API, and admin authentication, along with improvements to the REST API and query handling. All WordPress site owners should update immediately to protect their sites from these security vulnerabilities.

Highlight of the Release

• Critical security fixes for HTTP API, Filesystem API, and admin authentication
• Added .nvmrc file support for Node.js version management in older WordPress versions
• Improved REST API with proper Vary: Origin headers on GET requests
• Fixed query handling by removing the static query property

Migration Guide

No specific migration steps are required for this update. This is a standard security and maintenance release that should be compatible with existing WordPress 4.9.x installations.

To update:

1. Back up your website files and database before updating
2. Update through the WordPress admin dashboard or download the update from wordpress.org
3. Verify your site functionality after the update is complete

If you're using custom plugins or themes that interact with the WordPress HTTP API, Filesystem API, or REST API, you may want to test these components after updating to ensure they continue to function as expected.

Upgrade Recommendations

Priority: Critical

All WordPress site owners running version 4.9.11 or earlier should update to WordPress 4.9.12 immediately. This release contains several important security fixes that address vulnerabilities in the HTTP API, Filesystem API, and admin authentication.

While this is a maintenance release in the 4.9 branch (not the current major version), the security fixes included are significant enough to warrant immediate attention. Sites running on WordPress 4.9.x that do not update may be vulnerable to potential security exploits.

For those who have not yet upgraded to WordPress 5.x, this update provides essential security patches while maintaining compatibility with the 4.9 branch.

Bug Fixes

Query Handling

• Removed the static query property to prevent potential issues with query handling and improve overall stability

HTTP API

• Fixed a vulnerability that could allow hex interpretation of certain inputs
• This patch prevents potential security exploits through malformed HTTP requests

Filesystem API

• Implemented protection against directory traversal attacks when creating new folders
• This fix prevents unauthorized access to files outside the intended directory structure

Administration

• Enhanced security by ensuring admin referer nonces are properly validated
• This improvement helps protect against cross-site request forgery (CSRF) attacks

REST API

• Added proper Vary: Origin header on GET requests
• This fix ensures proper caching behavior and improves cross-origin resource sharing (CORS) functionality

New Features

Node.js Version Management Support

• Added .nvmrc files to older versions of WordPress, allowing developers to easily use the correct Node.js version when working with these codebases
• This enhancement helps maintain consistency across development environments and simplifies the setup process for contributors working with older WordPress versions

Security Updates

Critical Security Fixes

This release includes several important security fixes:

1. HTTP API Protection: Fixed a vulnerability that could allow hex interpretation of certain inputs, which could potentially be exploited to perform unauthorized actions.

2. Filesystem API Security: Implemented protection against directory traversal attacks when creating new folders. This prevents attackers from potentially accessing or modifying files outside the intended directory structure.

3. Admin Authentication Enhancement: Improved the validation of admin referer nonces to ensure they are properly checked before processing administrative actions. This helps protect against cross-site request forgery (CSRF) attacks.

4. REST API Security: Added proper Vary: Origin header on GET requests to improve security of cross-origin requests and ensure proper caching behavior.

These security fixes address vulnerabilities that could potentially be exploited to compromise WordPress sites. All users are strongly encouraged to update to WordPress 4.9.12 immediately.

Performance Improvements

No specific performance improvements were mentioned in this release. The focus appears to be on security fixes and minor enhancements rather than performance optimizations.

Impact Summary

WordPress 4.9.12 is primarily a security-focused release that addresses several critical vulnerabilities. The most significant impact is the improved security posture for WordPress sites through fixes to the HTTP API, Filesystem API, admin authentication, and REST API.

For developers, the addition of .nvmrc files to older WordPress versions provides a quality-of-life improvement for Node.js version management when working with these codebases. This helps maintain consistency across development environments and simplifies the setup process.

The removal of the static query property may affect some custom code that relied on this functionality, though this change was necessary to address potential issues with query handling.

Overall, this release demonstrates WordPress's ongoing commitment to security maintenance even for older branches, ensuring that sites that haven't yet upgraded to version 5.x remain protected against known vulnerabilities.