WordPress Release: 4.9.7

TL;DR

WordPress 4.9.7 is a security and maintenance release that addresses several important issues, including a media deletion vulnerability, XSS protection improvements, and privacy-related fixes. This update strengthens WordPress security, improves privacy tools introduced in 4.9.6, and fixes several bugs affecting the dashboard, widgets, and taxonomy handling.

Highlight of the Release

• Security fix for media deletion vulnerability that could allow deletion of unintended files
• Enhanced XSS protection for permalink values on edit screens
• Improved privacy tools with better error handling and documentation
• Fixed post password cookie handling to clear cookies when logging out
• Enhanced WordCamp visibility in the dashboard events widget

Migration Guide

No significant migration steps are required for WordPress 4.9.7 as this is primarily a security and maintenance release. The update process follows the standard WordPress update procedure:

1. Back up your website before updating
2. Update through the WordPress dashboard or via manual update
3. Test your site functionality after update

For Developers

If you've built custom code that interacts with:

• The privacy tools introduced in 4.9.6, review the improved error handling in wp_privacy_generate_personal_data_export_file() and wp_validate_user_request_key()
• Term queries using all_with_object_id, be aware of the improved cache handling
• The wp_add_privacy_policy_content() function, ensure you're calling it only in admin context to avoid triggering the new _doing_it_wrong() notice

Upgrade Recommendations

Immediate Upgrade Recommended

This release contains important security fixes that protect against potential vulnerabilities, particularly related to media file deletion and XSS protection. All WordPress site owners should update to version 4.9.7 immediately.

The update also includes several improvements to the privacy tools introduced in WordPress 4.9.6, making this an important update for sites that need to comply with privacy regulations like GDPR.

As with any WordPress update:

• Create a complete backup of your site before updating
• Test your site thoroughly after updating to ensure all functionality works as expected
• Update any themes or plugins that might be affected by the changes

Bug Fixes

Privacy Tool Fixes

• Fixed error check when creating an export folder in wp_privacy_generate_personal_data_export_file() to properly handle false return values from wp_mkdir_p() instead of expecting WP_Error objects.
• Fixed user request key validation in wp_validate_user_request_key() to properly return WP_Error objects when confirmation emails have expired.
• Removed unnecessary "This email has been sent to ###EMAIL###" text from privacy emails.
• Fixed linking to menus panel in Customizer for privacy pages that can't be accessed there.
• Prevented wp_add_privacy_policy_content() from causing fatal errors by unintentionally flushing rewrite rules outside of admin context.
• Added proper escaping to assertion in privacy-related test.
• Fixed a typo in the default privacy policy text.

Security and Data Handling

• Fixed post password cookie handling to ensure cookies are cleared when logging out.
• Improved cache handling when querying for terms using all_with_object_id by properly converting cached stdClass objects to WP_Term objects.
• Used correct escaping function when outputting meta box context.

UI and Display

• Added support for basic inline HTML tags in sidebar descriptions through wp_sidebar_description().

New Features

Enhanced Widget Functionality

• Added support for basic inline HTML tags in sidebar descriptions through wp_sidebar_description(), ensuring consistency between the customizer and widgets admin screen.

Improved Community Events Dashboard

• Modified the WordPress Events dashboard widget to always display upcoming WordCamps, even when multiple Meetups are happening first, ensuring better visibility for these important community events.

Security Updates

Critical Security Fixes

• Media File Protection: Limited thumbnail file deletions to the same directory as the original file, preventing potential deletion of unintended files.

• XSS Prevention: Escaped permalink values on edit screens to prevent cross-site scripting (XSS) vulnerabilities. While there was no known direct attack vector, this proactive measure enhances security.

• User Authentication Hardening: Improved the randomness of hashes used for user profile and admin email address changes, strengthening protection against potential attacks.

• Meta Box Context Security: Implemented proper escaping when outputting meta box context, preventing potential security issues.

Performance Improvements

Taxonomy Query Performance

• Improved cache handling when querying for terms using all_with_object_id. This fix ensures that when a term query hits the cache, the cached stdClass objects are properly converted to WP_Term objects, addressing an oversight from a previous refactoring of WP_Term_Query.

Unit Test Framework Optimization

• Enhanced the unit test framework to function properly without requiring the data directory to be in place, making testing more efficient and flexible for developers.

Impact Summary

WordPress 4.9.7 is primarily a security and maintenance release that addresses several important vulnerabilities and bugs. The most significant impact comes from the security fixes, particularly the media deletion vulnerability that could potentially allow deletion of unintended files.

For site administrators and developers, the improvements to privacy tools introduced in 4.9.6 are valuable enhancements that improve error handling, fix documentation, and prevent potential issues. These changes are especially important for sites that need to comply with privacy regulations.

The bug fixes for post password cookies, term query caching, and widget functionality address specific issues that affected certain use cases, improving overall stability and security. The enhancement to always show upcoming WordCamps in the dashboard events widget improves community engagement.

Overall, this release strengthens WordPress's security posture and refines recently introduced privacy features without introducing breaking changes, making it an important but straightforward update for all WordPress sites.