WordPress 4.9.7 Privacy and Maintenance Release

WordPress 4.9.7 is now available. This is a privacy and maintenance release, that fixes 17 bugs. We encourage you to update your sites to take advantage of the new privacy features.

From the WordPress 4.9.7 release post, WordPress versions 4.9.6 and earlier (​detailed in our post​​ here: 2 WORDPRESS CORE VULNERABILITIES IN JUNE 2018) are affected by a file deletion issue where a user with the capability to edit and delete media files could potentially manipulate media metadata to attempt to delete files outside the uploads directory.

Thank you to Slavco for reporting the original issue and Matt Barry for reporting related issues.

As part of the core team’s ongoing commitment to security hardening, the following security and maintenance fixes have been implemented:

1. WordPress versions 4.9.6 and earlier are affected by a file deletion issue where a user with the capability to edit and delete media files could potentially manipulate media metadata to attempt to delete files outside the uploads directory.
2. Taxonomy: Improve cache handling for term queries.
3. Posts, Post Types: Clear post password cookie when logging out.
4. Widgets: Allow basic HTML tags in sidebar descriptions on Widgets admin screen.
5. Community Events Dashboard: Always show the nearest WordCamp if one is coming up, even if there are multiple Meetups happening first.
6. Privacy: Make sure default privacy policy content does not cause a fatal error when flushing rewrite rules outside of the admin context.

Other highlights of 4.9.7 include:

• @43372 – Privacy: add esc_html to assertion in test_wp_comments_personal_data_exporter.
• @43368 – Security: Harden the random aspect of the hash used for user profile and admin email address changes.
• @43366 – Options, Meta APIs: Use the correct escaping function when outputting the meta box context.
• @43364 – Privacy: Make sure wp_add_privacy_policy_content() does not cause a fatal error by unintentionally flushing rewrite rules outside of the admin context. Add a _doing_it_wrong() message describing the correct usage of the function.
• @43358 – Privacy: Only link to menus panel in Customizer if selected privacy page can be accessed there.
• @43357 – Community Events Dashboard: Always show a WordCamp if one is coming up. WordCamps are celebrations of the local WordPress Community and once a local one is scheduled, people in that community should know it is coming. This adjusts the WordPress Events in the dashboard widgets to always display a WordCamp, even if there are multiple Meetups happening first.
• @43354 – Privacy: Remove unnecessary This email has been sent to ###EMAIL### from privacy emails. The line was copied from the emails that get sent when an email address changes, without considering if it made sense in the new context.
• @43351 – Privacy: Fix typo in default privacy policy text.
• @43349 – Posts, Post Types: Clear post password cookie when logging out.
• @43342 – Users: In wp_validate_user_request_key(), properly return the WP_Error object in case the confirmation email has expired.
• @43316 – Build/Test Tools: Allow the unit test framework to be used without the data directory in place.
• @43314 – Taxonomy: Improve cache handling when querying for terms using all_with_object_id. When a term query using fields=all_with_object_id hits the cache, the cached stdClass objects must be converted to WP_Term objects. This was overlooked when WP_Term_Query was refactored to support object queries in [38667].
• @43306 – Docs: Document the cookies default comment field added in [42772].
• @43305 – Docs: Add missing documentation and duplicate hook references for wp_privacy_personal_data_export_file, wp_privacy_personal_data_exporters, and wp_privacy_personal_data_erasers hooks.
• @43302 – Widgets: Allow basic inline tags in wp_sidebar_description(). The customizer has allowed HTML in sidebar descriptions since adding support for sidebars. This change ensures that basic HTML is also allowed for them in the widgets admin screen.
• @43301 – Comments: Escape permalink values on edit screen to prevent XSS. There doesn’t appear to be any way for an attacker to introduce malicious input into the URL, unless a plugin is filtering the URL to add it, but it’s better to be safe than sorry.
• @43300 – Privacy: Correct the error check when creating an export folder in wp_privacy_generate_personal_data_export_file(). wp_mkdir_p() returns false on error, not a WP_Error object.