An XSS vulnerability was discovered in the Flash fallback files in MediaElement, a library that is included with WordPress. Because the Flash files are no longer needed for most use cases, they have been removed from WordPress.
MediaElement has released a new version that contains a fix for the bug, and a WordPress plugin containing the fixed files is available in the plugin repository.
21 other bugs were fixed in WordPress 4.9.2. Particularly of note were:
- Bundled Theme: #42820 – Twenty Seventeen -watch that language
- Customize: #42492 – Selecting menu location changes line height
- #42871 – Features box textstrings in Feature Filter area need new linebreak
- Database: #42812 – Use MySQLi when available by default
- Editor: #42664 – Editor link autocomplete suggestions: no fallback title displayed for posts with no title
- External Libraries: #42439 – Update random_compat external library for PHP 7 linting failure
- Formatting: #42578 – PHP functions inside <p> tags creates new <p> tag, breaking the parent tag into two.
- Media: #42225 – Whitelist Flac Files
- #42447 – Mark test_remove_orientation_data_on_rotate as skipped when exif_read_data isn’t available
- #42480 – Consistent suppression of `getimagesize()` errors
- #42720 – Remove unnecessary MediaElement.js files
- Plugins: #43082 – Add plugins search results: the plugin details modal opens in the thickbox modal
- REST API: #42828 – Hard-coded 403 status in REST response should use `rest_authorization_required_code()`
- Taxonomy: #42771 – WP_Term::get_instance() regression for non-category terms queried with ‘category’ taxonomy
- #42605 – category_description() does not work properly since 4.9
- #42717 – get_category_link() accepting object but not id
- TinyMCE: #42416 – Code assumes iframe mode, exception in inline mode
- Upgrade/Install: #42963 – Improve deletion of $_old_files during upgrades
- Widgets: #42603 – Widgets Warning after activating theme and on dashboard widgets page
- #42719 – Always attempt to restore widgets’ previous assignment
- #42867 – HTML Widget: toggleClass() should be passed true/false as second param