HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

WordPress

>

Releases

>

4.9.9

WordPress Release: 4.9.9

Tag Name: 4.9.9

Release Date: 12/13/2018

View Release
WordPress LogoWordPress

World's most popular open-source content management system powering over 40% of all websites. Offers extensive plugin ecosystem, themes, and robust community support for blogs, e-commerce, and corporate websites. Highly customizable and scalable platform suitable for beginners and advanced developers.

Open SourceBloggingWebsite Builder

TL;DR

WordPress 4.9.9 is a security and maintenance release that addresses several important security vulnerabilities and fixes bugs. This update includes improved MIME file type verification, removal of potentially unsafe elements from allowed post tags, and validation of multisite activation links. It also fixes issues with embeds, documentation improvements, and PHP 7.3 compatibility. This release is recommended for all WordPress sites to maintain security and stability.

Highlight of the Release

    • Security improvements with enhanced MIME file type verification
    • Removal of potentially unsafe elements from allowed post tags
    • Validation of multisite activation links
    • Fixed JavaScript error in wp.receiveEmbedMessage when data parameter is not set
    • PHP 7.3 compatibility fixes
    • Documentation improvements for meta types and functions

Migration Guide

This is a maintenance and security release that doesn't require any specific migration steps. Simply update to WordPress 4.9.9 through your dashboard or by downloading the update from wordpress.org.

After updating, if you've previously added custom allowed tags that include form elements, you may need to review your implementation due to the KSES security changes.

Upgrade Recommendations

This release includes important security fixes and is strongly recommended for all WordPress installations. The security improvements to MIME file type verification, KSES handling, and multisite activation links address potential vulnerabilities that could be exploited.

WordPress 4.9.9 is compatible with existing plugins and themes that work with WordPress 4.9, making it a safe update for all sites currently running WordPress 4.9.x.

Bug Fixes

  • Embeds: Fixed a JavaScript error in wp.receiveEmbedMessage when the data parameter is not set.
  • Taxonomy: Fixed an issue where wp_list_categories() wasn't correctly outputting term names with a value of 0.
  • REST API: Fixed a bug that prevented setting term meta during term creation by passing the correct ID to meta->update_value.
  • PHP 7.3 Compatibility: Fixed E_WARNING errors thrown in PHP 7.3 when using continue to target a switch statement.
  • Try Gutenberg Callout: Improved formatting for Internet Explorer 11 to prevent layout issues.
  • Help/About: Ensured the space after the period for the 4.9.8 changelog entry is preserved.
  • Documentation: Corrected parameter type for WP_Privacy_Policy_Content::notice() and fixed typo in @since entry for WP_Privacy_Policy_Content:add().

New Features

This maintenance release focuses primarily on security enhancements and bug fixes rather than new features. The changes are targeted at maintaining WordPress stability and security.

Security Updates

  • Media: Improved verification of MIME file types to prevent potential security issues.
  • KSES: Conditionally removed the <form> element from $allowedposttags to enhance security, while maintaining backward compatibility by re-adding it if custom filters have added <input> or <select> elements.
  • KSES: Made URI attributes DRY (Don't Repeat Yourself) by introducing the wp_kses_uri_attributes function and filter, centralizing the list of attributes to prevent inconsistency.
  • Multisite: Improved validation of activation links to prevent potential security issues.
  • Editor: Removed unwanted fields (meta_input, file, and guid) before saving posts, as these are not intended to be updated through user input.

Performance Improvements

  • Script Loader: Removed PHP-based compression from load-styles.php and load-scripts.php. This improves performance as the compression was becoming slow and resource-intensive with the growing number of scripts and stylesheets. Most servers are already configured to compress PHP output, making this redundant.

Impact Summary

WordPress 4.9.9 is primarily a security and maintenance release that addresses several important security vulnerabilities and fixes bugs. The security improvements focus on better MIME file type verification, safer handling of allowed HTML tags, and validation of multisite activation links.

The bug fixes address issues with embeds, taxonomy handling, REST API functionality, and PHP 7.3 compatibility. Documentation improvements have also been made to provide more accurate information for developers.

This release is particularly important for site security, as it addresses multiple potential vulnerabilities. The changes to KSES (HTML filtering) improve protection against cross-site scripting (XSS) attacks by removing potentially unsafe elements from allowed post tags while maintaining backward compatibility.

Performance has been improved by removing PHP-based compression from script and style loading, which had become inefficient with the growing number of assets.

Overall, this is an essential update for all WordPress sites to maintain security and stability.

Statistics:

File Changed35
Line Additions1,019
Line Deletions171
Line Changes1,190
Total Commits48

User Affected:

  • Enhanced security with improved MIME file type verification
  • Better protection against potential XSS vulnerabilities with KSES improvements
  • Improved multisite user activation process with better messaging and validation

Contributors:

ocean90rachelbakerjohnbillionSergeyBiryukovpeterwilsonccgetsourceadamsilversteinboonebgorgesjeremyfeltpentoiandunn