HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

WordPress

>

Releases

>

4.9.23

WordPress Release: 4.9.23

Tag Name: 4.9.23

Release Date: 5/16/2023

View Release
WordPress LogoWordPress

World's most popular open-source content management system powering over 40% of all websites. Offers extensive plugin ecosystem, themes, and robust community support for blogs, e-commerce, and corporate websites. Highly customizable and scalable platform suitable for beginners and advanced developers.

Open SourceBloggingWebsite Builder

TL;DR

WordPress 4.9.23 is a maintenance and security release that addresses critical security vulnerabilities, improves testing infrastructure, and adds new translation strings for end-of-life notifications. This update focuses on enhancing WordPress's security posture by fixing CSRF vulnerabilities in media attachments and adding protocol validation for embeds, while also modernizing the GitHub Actions workflows to ensure continued reliability of the testing infrastructure.

Highlight of the Release

    • Security fixes for CSRF vulnerability in media attachment thumbnails
    • Added protocol validation for WordPress Embed code
    • Improved testing infrastructure with updated GitHub Actions workflows
    • Added new translation strings for end-of-life notifications
    • Refactored HTTP API tests to remove external dependencies

Migration Guide

No specific migration steps are required for this release. As this is primarily a security and maintenance release, standard update procedures apply:

  1. Back up your WordPress site before updating
  2. Update through the WordPress admin dashboard or via your preferred method
  3. Test your site functionality after the update

No database schema changes or breaking changes are included in this release.

Upgrade Recommendations

Immediate Upgrade Recommended

This release contains critical security fixes that address vulnerabilities in media attachments and embed functionality. All WordPress site administrators should update to version 4.9.23 immediately to protect their sites.

The update process should be smooth as this is a maintenance release with no breaking changes. As always, it's recommended to back up your site before performing any updates.

Bug Fixes

HTTP API Test Improvements

The test for multiple location headers in WP_HTTP::handle_redirects() has been refactored to no longer depend on wordpress.org as an external dependency. The test now calls the method directly with a mocked array of HTTP headers containing multiple location headers and has been moved from the external-http group to the http test group as it no longer makes an HTTP request.

New Features

New Translation Strings for End-of-Life Notifications

New translation strings have been added to about.php for use when releasing the final version of WordPress on a particular branch. These strings will help communicate important end-of-life information to users in their preferred language.

Security Updates

Critical Security Fixes

This release includes important security fixes:

  1. Media: Prevent CSRF setting attachment thumbnails A Cross-Site Request Forgery (CSRF) vulnerability was identified and fixed in the media attachment thumbnail settings functionality.

  2. Embeds: Add protocol validation for WordPress Embed code Protocol validation has been added to WordPress Embed code to prevent potential security issues with malicious embeds.

Performance Improvements

GitHub Actions Workflow Improvements

Multiple updates to GitHub Actions workflows have been backported to ensure continued reliability of the testing infrastructure:

  • Addressed deprecated notices related to save-output and set-output
  • Added support for automatically retrying failed workflows once
  • Removed workflow files not applicable to the branch
  • Backported Docker environment related tooling updates for consistency across branches

Impact Summary

WordPress 4.9.23 is primarily a security and maintenance release that addresses important vulnerabilities while also improving the development and testing infrastructure.

The security fixes for CSRF in media attachments and protocol validation for embeds are critical updates that protect sites from potential attacks. These changes don't affect normal site functionality but significantly improve security posture.

The testing infrastructure improvements, while mostly invisible to end users, ensure the continued reliability of WordPress development processes. The refactored HTTP API tests remove external dependencies, making tests more reliable and faster.

The addition of new translation strings for end-of-life notifications prepares the way for better communication with users when a WordPress branch reaches its end of support.

Overall, this release demonstrates WordPress's ongoing commitment to security and maintaining a robust development infrastructure, even for older branches of the software.

Statistics:

File Changed18
Line Additions390
Line Deletions75
Line Changes465
Total Commits5

User Affected:

  • Need to update their WordPress installations to address security vulnerabilities
  • Will benefit from improved security against CSRF attacks in media attachments
  • Will see new end-of-life notification strings when applicable

Contributors:

peterwilsonccdesrosjSergeyBiryukov