HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

WordPress

>

Releases

>

4.9.22

WordPress Release: 4.9.22

Tag Name: 4.9.22

Release Date: 10/17/2022

View Release
WordPress LogoWordPress

World's most popular open-source content management system powering over 40% of all websites. Offers extensive plugin ecosystem, themes, and robust community support for blogs, e-commerce, and corporate websites. Highly customizable and scalable platform suitable for beginners and advanced developers.

Open SourceBloggingWebsite Builder

TL;DR

WordPress 4.9.22 Security Release

This maintenance release includes multiple security fixes and introduces new strings to indicate security support status for WordPress versions. The update focuses primarily on hardening WordPress against various security vulnerabilities, including KSES improvements for post-by-email content, trackbacks, and comments, as well as adding validation for hosts and query parameters. This release is part of WordPress's ongoing commitment to maintaining security for older branches.

Highlight of the Release

    • Multiple security fixes across various WordPress components
    • Introduction of strings to indicate security support status for WordPress versions
    • Improved KSES application to post-by-email content, trackbacks, and comments
    • Enhanced validation for hosts and query parameters
    • Security improvements to the REST API, widgets, and customizer

Migration Guide

No specific migration steps are required for this security release. Simply update to WordPress 4.9.22 through your dashboard or by downloading the update from wordpress.org.

Upgrade Recommendations

Immediate upgrade recommended for all WordPress 4.9 installations.

This is a security release that addresses multiple vulnerabilities. All WordPress sites running version 4.9.x should be updated immediately to version 4.9.22 to maintain site security.

The 4.9 branch is in long-term support mode, receiving only critical security updates. Site administrators should consider upgrading to a more recent major version of WordPress for access to new features and continued regular updates.

Bug Fixes

Security Fixes

  • Posts and Post Types:

    • Applied KSES to post-by-email content to prevent potential XSS vulnerabilities
    • Removed email addresses from post-by-email logs to enhance privacy
    • Refactored search by filename functionality within the admin

  • Comments and Trackbacks:

    • Applied KSES to all trackbacks to prevent potential XSS vulnerabilities
    • Enhanced comment editing with improved KSES application

  • Customizer and Widgets:

    • Escaped blogname option in underscores templates
    • Escaped RSS error messages for display in widgets

  • REST API and Queries:

    • Locked down post parameter of the terms endpoint
    • Added validation for the relation parameter in WP_Date_Query

  • Other Improvements:

    • Added validation for host on "Are you sure?" screen
    • Reset PHPMailer properties between uses to prevent information leakage

New Features

New Support Status Indicators

  • Added new translatable strings to indicate the security support status of WordPress versions
  • These strings will be used in future maintenance/security releases to:
    • Notify users when a WordPress version is no longer receiving security updates
    • Alert users when a WordPress version will shortly stop receiving security updates
  • This change makes these strings available to translators in preparation for future use

Security Updates

Security Enhancements

This release includes multiple security fixes:

  • Input Validation and Sanitization:

    • Applied KSES to post-by-email content, trackbacks, and comments to prevent XSS attacks
    • Added host validation on confirmation screens
    • Enhanced validation for query parameters

  • Data Protection:

    • Removed email addresses from post-by-email logs
    • Reset PHPMailer properties between uses to prevent information leakage

  • Output Escaping:

    • Escaped blogname option in underscores templates
    • Properly escaped RSS error messages in widgets

  • API Security:

    • Locked down post parameter of the terms endpoint in the REST API
    • Added validation for relation parameter in WP_Date_Query

These fixes address potential vulnerabilities that could be exploited for cross-site scripting (XSS) attacks, information disclosure, or other security issues.

Performance Improvements

No specific performance improvements were mentioned in this security-focused release.

Impact Summary

WordPress 4.9.22 is primarily a security-focused maintenance release for the 4.9 branch. It introduces strings that will be used to notify users about security support status in future releases and includes multiple security fixes across various WordPress components.

The security improvements focus on preventing XSS vulnerabilities by applying KSES to user-generated content, enhancing validation for various parameters, and improving data protection practices. These changes strengthen WordPress against potential security threats without changing functionality or requiring any migration steps.

This release demonstrates WordPress's commitment to maintaining security for older branches while also preparing users for eventual end-of-support notifications. Site administrators should update immediately to protect their sites from potential security vulnerabilities.

Statistics:

File Changed23
Line Additions329
Line Deletions72
Line Changes401
Total Commits4

User Affected:

  • Should update immediately to protect sites from security vulnerabilities
  • Will benefit from improved security measures across multiple WordPress components
  • Need to be aware of the upcoming end of security support notifications

Contributors:

peterwilsonccSergeyBiryukov