HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

WordPress

>

Releases

>

6.4.5

WordPress Release: 6.4.5

Tag Name: 6.4.5

Release Date: 6/24/2024

View Release
WordPress LogoWordPress

World's most popular open-source content management system powering over 40% of all websites. Offers extensive plugin ecosystem, themes, and robust community support for blogs, e-commerce, and corporate websites. Highly customizable and scalable platform suitable for beginners and advanced developers.

Open SourceBloggingWebsite Builder

TL;DR

WordPress 6.4.5 is a security and maintenance release that addresses several important security vulnerabilities, including a path traversal issue on Windows in the Template-Part Block and improves HTML attribute sanitization. The release also includes testing infrastructure improvements to ensure better compatibility and performance testing across different PHP versions. This update is recommended for all WordPress 6.4.x users to maintain site security and stability.

Highlight of the Release

    • Fixed path traversal security vulnerability in Template-Part Block on Windows systems
    • Improved HTML attribute sanitization through esc_url()
    • Enhanced Template Part HTML tag sanitization on save
    • Updated testing infrastructure with reusable workflows
    • Fixed performance testing workflow to support PHP 8.2 compatibility

Migration Guide

No specific migration steps are required for this security and maintenance release. WordPress 6.4.5 maintains backward compatibility with previous 6.4.x versions.

To update:

  1. Back up your WordPress site (files and database)
  2. Update through the WordPress admin dashboard or download the update from wordpress.org
  3. Verify your site functionality after the update

No database schema changes or breaking changes to APIs were introduced in this release.

Upgrade Recommendations

Priority: High

This release contains important security fixes that address vulnerabilities in WordPress core. All users running WordPress 6.4.x are strongly encouraged to update to version 6.4.5 immediately.

The security fixes address:

  • Path traversal vulnerability on Windows systems
  • HTML attribute sanitization issues
  • Template part security improvements

As this is a security release, updating promptly is recommended to protect your site from potential exploits. The update process should be straightforward with no expected compatibility issues.

Bug Fixes

Testing Infrastructure Fixes

  • Fixed the Performance workflow in the 6.4 branch by pinning the LOCAL_PHP version to 8.2 to ensure compatibility with base measurements from WordPress 6.1.1
  • Fixed issues with artifact generation for Playground testing
  • Resolved problems with SVN-related commands causing workflow failures
  • Fixed a bug where ZIP files with built WordPress were not being saved as artifacts in the performance workflow

E2E Testing Improvements

  • Added logic to skip Gutenberg plugin activation tests on older WordPress versions where the plugin is incompatible
  • Added explanatory comments to clarify when the Gutenberg e2e test is skipped

New Features

No significant new features were introduced in this maintenance and security release. WordPress 6.4.5 focuses primarily on security fixes and testing infrastructure improvements.

Security Updates

Critical Security Fixes

  • Path Traversal Vulnerability: Fixed a path traversal issue on Windows systems in the Template-Part Block that could potentially allow unauthorized access to files
  • HTML Sanitization: Improved security by ensuring URL attributes are properly processed through esc_url() function
  • Template Part Security: Enhanced sanitization of Template Part HTML tags during the save process

These security fixes address potential vulnerabilities that could be exploited to compromise WordPress sites, particularly those running on Windows servers.

Performance Improvements

This release doesn't introduce specific performance improvements to WordPress core functionality. However, it does include significant improvements to the performance testing infrastructure:

  • Fixed the Performance workflow to ensure accurate benchmarking across PHP versions
  • Ensured compatibility with PHP 8.2 for performance testing against WordPress 6.1.1 baseline
  • Improved artifact generation and handling in CI/CD pipelines

These changes help maintain the integrity of performance testing but don't directly affect end-user performance.

Impact Summary

WordPress 6.4.5 is primarily a security-focused release that addresses several important vulnerabilities, most notably a path traversal issue affecting Windows installations. This release significantly improves the security posture of WordPress sites by enhancing sanitization of HTML attributes and template parts.

Beyond security fixes, the release includes substantial improvements to the testing infrastructure, ensuring better compatibility with different PHP versions and more reliable performance testing. These changes, while not directly visible to end users, contribute to the long-term stability and security of the WordPress platform.

The impact is most significant for sites hosted on Windows servers due to the path traversal fix, but all WordPress installations benefit from the improved HTML sanitization. The release maintains full compatibility with previous 6.4.x versions and requires no special migration steps.

For site administrators, this is a straightforward but important security update that should be applied promptly to maintain site security.

Statistics:

File Changed24
Line Additions306
Line Deletions1,117
Line Changes1,423
Total Commits10

User Affected:

  • Need to update their WordPress installations to address security vulnerabilities
  • Benefit from improved security in template parts and HTML handling
  • Should plan for a routine update with minimal disruption to site functionality

Contributors:

ockhamjoemcgilldesrosjaudrasjbaaronjorbin