WordPress 4.9.2 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.
An XSS vulnerability was discovered in the Flash fallback files in MediaElement, a library that is included with WordPress. Because the Flash files are no longer needed for most use cases, they have been removed from WordPress.
MediaElement has released a new version that contains a fix for the bug, and a WordPress plugin containing the fixed files is available in the plugin repository.
21 other bugs were fixed in WordPress 4.9.2. Particularly of note were:
- Bundled Theme: #42820 – Twenty Seventeen -watch that language
- Customize: #42492 – Selecting menu location changes line height
- #42871 – Features box textstrings in Feature Filter area need new linebreak
- Database: #42812 – Use MySQLi when available by default
- Editor: #42664 – Editor link autocomplete suggestions: no fallback title displayed for posts with no title
- External Libraries: #42439 – Update random_compat external library for PHP 7 linting failure
- Formatting: #42578 – PHP functions inside <p> tags creates new <p> tag, breaking the parent tag into two.
- Media: #42225 – Whitelist Flac Files
- #42447 – Mark test_remove_orientation_data_on_rotate as skipped when exif_read_data isn’t available
- #42480 – Consistent suppression of `getimagesize()` errors
- #42720 – Remove unnecessary MediaElement.js files
- Plugins: #43082 – Add plugins search results: the plugin details modal opens in the thickbox modal
- REST API: #42828 – Hard-coded 403 status in REST response should use `rest_authorization_required_code()`
- Taxonomy: #42771 – WP_Term::get_instance() regression for non-category terms queried with ‘category’ taxonomy
- #42605 – category_description() does not work properly since 4.9
- #42717 – get_category_link() accepting object but not id
- TinyMCE: #42416 – Code assumes iframe mode, exception in inline mode
- Upgrade/Install: #42963 – Improve deletion of $_old_files during upgrades
- Widgets: #42603 – Widgets Warning after activating theme and on dashboard widgets page
- #42719 – Always attempt to restore widgets’ previous assignment
- #42867 – HTML Widget: toggleClass() should be passed true/false as second param