WordPress 4.1.2 Security Release

WordPress 4.1.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams, and Andrew Nacin of the WordPress security team.

We also fixed three other security issues:

  • In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
  • In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
  • Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.

We also made four hardening changes, discovered by J.D. Grimes, Divyesh Prajapati, Allan Collins and Marc-Alexandre Montpas.

We appreciated the responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.

Download WordPress 4.1.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.1.2.

Thanks to everyone who contributed to 4.1.2: Allan Collins, Alex Concha, Andrew Nacin, Andrew Ozz, Ben Bidner, Boone Gorges, Dion Hulse, Dominik Schilling, Drew Jaynes, Gary Pendergast, Helen Hou-Sandí, John Blackburn and Mike Adams.

A number of plugins also released security fixes yesterday. Keep everything updated to stay secure. If you’re a plugin author, please read this post to confirm that your plugin is not affected by the same issue. Thank you to all of the plugin authors who worked closely with our security team to ensure a coordinated response.

Already testing WordPress 4.2? The third release candidate is now available (zip) and it contains these fixes. For more on 4.2, see the RC 1 announcement post.

WordPress 4.1 “Dinah”

Version 4.1 of WordPress, named “Dinah” in honor of jazz singer Dinah Washington, is available for download or update in your WordPress dashboard. New features in WordPress 4.1 help you focus on your writing, and the new default theme lets you show it off in style.

Introducing Twenty Fifteen


Our newest default theme, Twenty Fifteen, is a blog-focused theme designed for clarity.

Twenty Fifteen has flawless language support, with help from Google’s Noto font family.

The straightforward typography is readable on any screen size.

Your content always takes center stage, whether viewed on a phone, tablet, laptop, or desktop computer.

Distraction-free writing


Just write.

Sometimes, you just need to concentrate on putting your thoughts into words. Try turning on distraction-free writing mode. When you start typing, all the distractions will fade away, letting you focus solely on your writing. All your editing tools instantly return when you need them.

The Finer Points

Choose a language

Right now, WordPress 4.1 is already translated into over forty languages, with more always in progress. You can switch to any translation on the General Settings screen.

Log out everywhere

If you’ve ever worried you forgot to sign out from a shared computer, you can now go to your profile and log out everywhere.

Vine embeds

Embedding videos from Vine is as simple as pasting a URL onto its own line in a post. See the full list of supported embeds.

Plugin recommendations

The plugin installer suggests plugins for you to try. Recommendations are based on the plugins you and other users have installed.

Under the Hood

Complex Queries

Metadata, date, and term queries now support advanced conditional logic, like nested clauses and multiple operators — A AND ( B OR C ).

Customizer API

The customizer now supports conditionally showing panels and sections based on the page being previewed.

<title> tags in themes

add_theme_support( 'title-tag' ) tells WordPress to handle the complexities of document titles.

Developer Reference

Continued improvements to inline code documentation have made the developer reference more complete than ever.

The Choir

This release was led by John Blackbourn, with the help of these awesome folks. Check out some of their profiles while listening to Dinah Washington on the music service of your choice:

Aaron D. Campbell, Aaron Jorbin, Adam Silverstein, akumria, Alex Concha, Alex Mills (Viper007Bond), Alex Shiels, Allan Collins, Amaury Balmer, Amruta Bhosale, Andrea Fercia, Andrea Gandino, Andrew Munro (sumobi), Andrew Nacin, Andrew Ozz, Andrew Ryno, Andrey "Rarst" Savchenko, Ankit Gade, Ankit K Gupta, Anthony Burchell, arippberger, Austin Matzko, Bainternet, Barry Kooij, Ben Dunkle, Ben May, Bernhard Riedl, Birgir Erlendsson (birgire), bobbingwide, Boone B. Gorges, Brady Vercher, Bram Duvigneau, Brandon Kraft, Brian DiChiara, Brian Richards, Brian Watson, Camden Segal, Captain Theme, Carlos, Caspie, ccprice, Charles Fulton, ChriCo, Chris Aprea, Chris Jean, Chris Marslender, Chris Reynolds, chriscct7, chrisl27, Christian Foellmann, Christopher Finke, Corey Snow, Corphi, curtjen, Damon Cook, Dan Cameron, Daniel Bachhuber, Daniel Convissor, Darren Ethier (nerrad), Daryl Koopersmith, Dave McHale, David A. Kennedy, David Cavins, David Herrera, David Laietta, David Wood, DavidTheMachine, Dennis Ploetner, Dion Hulse, Dirk Weise, Dominik Schilling, Dominik Schwind, Drew Jaynes, Dustin Filippini, Dustin Hartzler, Elio Rivero, Eric Binnion, Eric Holmes, Eric Lewis, Fabien Quatravaux, florianziegler, Gabe Shackle, Gary Cao, Gary Pendergast, Gennady Kovshenin, George Olaru, George Stephanis, Greg Rickaby, Gregory Cornelius, Gregory Karpinsky (@tivnet), Gustavo Bordoni, hardy101, hauvong, Helen Hou-Sandí, heshiming, honeysilvas, hugodelgado, Ian Stewart, ianmjones, Ignacio Cruz Moreno, imath, Ipstenu (Mika Epstein), Ivan Kristianto, J.D. Grimes, jaimieolmstead, jakub.tyrcha, janhenckens, Janneke Van Dorpe, Japh, Jared Wenerd, jarednova, jeanyoungkim, Jeff Farthing, Jeff Stieler, Jeremy Felt, Jeremy Herve, Jesin A, Jesper Johansen (jayjdk), Jesper van Engelen, Jesse Pollak, jipmoors, Joe Dolson, Joe McGill, John Eckman, johnrom, johnstonphilip, Jon Brown, Jon Cave, Jonathan Brinley, Jonathan Desrosiers, Joost de Valk, Jordi Cabot, Joshua Abenazer, JOTAKI Taisuke, jrf, Julien Liabeuf, Justin Sainton, Justin Sternberg, K.Adam White, Kailey (trepmal), kamelkev, karpstrucking, keesiemeijer, Kelly Dwan, Kevin Langley, Kiko Doran, Kim Parsell, Kirk Wight, kitchin, Kite, Knut Sparhell, Konstantin Kovshenin, Konstantin Obenland, Kostas Vrouvas, kristastevens, Kurt Payne, Lance Willett, Laurens Offereins, linuxologos, Liuiza Arunas, loushou, Lutz Schroer, Manoz69, mantismamita, Marco Schmoecker, Mario Peshev, Marius (Clorith), Mark Hudnall, Mark Jaquith, Mark Senff, Marko Heijnen, marsjaninzmarsa, Matias Ventura, Matt Mullenweg, Matt Wiebe, Matthew Boynes, Matthew Haines-Young, mattkeys, Maura Teal, Mel Choyce, Mert Yazicioglu, Michael Adams (mdawaffe), Michael Arestad, Michael Beckwith, Michael Cain, Michael Pick, michalzuber, Michelle Langston, Miguel Fonseca, Mike Hansen, Mike Jolley, Mike Nelson, Mike Schroder, Mikey Arce, Mitch Canter (studionashvegas), Morgan Estes, Morten Rand-Hendriksen, mvd7793, Nashwan Doaqan, Niall Kennedy, Nick Halsey, Nikhil Vimal, Nikola Nikolov, nobleclem, noplanman, Nowell VanHoesen, OriginalEXE, p_enrique, Paul de Wouters, Paul Schreiber, Paul van Zyl, Paul Wilde, pavelevap, Peter Chester, Peter J. Herrel, Peter Westwood, Peter Wilson, Philip Arthur Moore, phpmypython, Pippin Williamson, Prasath Nadarajah, psycleuk, Ptah Dunbar, quietnic, Rachel Baker, Rami Yushuvaev, ramiabraham, Reuben Gunday, Rian Rietveld, Richard Archambault, Ricky Lee Whittemore, Robert Chapin, Rodrigo Primo, Ryan Boren, Ryan Kienstra, Ryan McCue, Sakin Shrestha, Sam Hotchkiss, Samuel Wood (Otto), Scott Kingsley Clark, Scott Reilly, Scott Taylor, Sergey Biryukov, Shawn Hooper, Simon Pollard, Simon Wheatley, skaeser, Slobodan Manic, socki03, solarissmoke, Stephane Daury, Stephen Edgar, Stephen Harris, Steve Grunwell, Sumit Singh, TacoVerdo, Takashi Irie, Takayuki Miyauchi, Tammie, Tareq Hasan, Taylor Lovett, Thomas Kraftner, Thorsten Frommen, Till, Tobias Schutter, TobiasBg, Toby McKes, Tom J Nowell, Tomas Mackevicius, TomHarrigan, Topher, Torsten Landsiedel, Tracy Levesque, transom, Travis Smith, Ty Carlson, Udit Desai, Umesh Kumar, Vinod Dalvi, vlajos, voldemortensen, Weston Ruter, Yoav Farhi, Yuta Sekine, Zack Rothauser, and Zack Tollman.

There were 283 contributors to this release, again a new high.

If you want to help out or follow along, check out Make WordPress and our core development blog.

Thanks for choosing WordPress. Happy holidays and see you next year for version 4.2!

WordPress 4.1 Release Candidate

The release candidate for WordPress 4.1 is now available.

We’ve made a lot of refinements over the last few weeks. RC means we think we’re done, but with millions of users and thousands of plugins and themes, it’s possible we’ve missed something. We hope to ship WordPress 4.1 on Tuesday, December 16, but we need your help to get there. If you haven’t tested 4.1 yet, now is the time! (Please though, not on your live site unless you’re adventurous.)

Think you’ve found a bug? Please post to the Alpha/Beta support forum. If any known issues come up, you’ll be able to find them here.

To test WordPress 4.1 RC1, you can use the WordPress Beta Tester plugin or you can download the release candidate here (zip). If you’d like to learn more about what’s new in WordPress 4.1, visit the About screen in your dashboard ( → About in the toolbar) or check out the beta announcement.

Developers, please test your plugins and themes against WordPress 4.1 and update your plugin’s Tested up to version in the readme to 4.1 before next week. If you find compatibility problems, we never want to break things, so please be sure to post to the support forums so we can figure those out before the final release.

Be sure to follow along the core development blog, where we’ll continue to post notes for developers for 4.1. (For example: if you’ve written a child theme for Twenty Fifteen, some of the new pagination functions have been renamed for clarity.)

Testing four point one
Why are we up at this hour?
Code is poetry