WordPress 4.9.5 is now available. This is a Security and Maintenance Release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.
WordPress versions 4.9.4 and earlier are affected by three security issues. As part of the core team’s ongoing commitment to security hardening, the following fixes have been implemented in 4.9.5:
- Don’t treat as
localhostthe same host by default.
- Use safe redirects when redirecting the login page if SSL is forced.
- Make sure the version string is correctly escaped for use in generator tags.
Thank you to the reporters of these issues for practicing coordinated security disclosure: xknown of the WordPress Security Team, Nitin Venkatesh (nitstorm), and Garth Mortensen of the WordPress Security Team.
Particularly important bugs were fixed in WordPress 4.9.5. like:
- The previous styles on caption shortcodes have been restored.
- Cropping on touchscreen devices is now supported.
- A variety of strings such as error messages have been updated for better clarity.
- The position of an attachment placeholder during uploads has been fixed.
- Improved compatibility with PHP 7.2.
The complete list of the 25 bugs, that were fixed in WordPress 4.9.5.:
- #43190 – Update prefixed CSS properties in about.css
- #43317 – Twenty Seventeen: underline links in comments
- #43572 – Bundled Themes: Bump version number and update changelog in Twenty Seventeen for 4.9.5 release
- #39045 – Remove unnecessary aria-required attribute for elements that have “requiredattribute”.
- #36884 – In menus: correct oversized viewport after dragging menu items
- #43307 – Correct closing tags in customize_themes_print_templates()
- #43333 – In menus: reset results when closing the ‘add items’ panel.
- #43417 – Avoid an infinite loop in wp_mkdir_p() when trying to determine the parent folder with open_basedir restriction in effect.
- #43312 – Avoid a PHP 7.2 warning in wp_kses_attr() when one of $allowedtags elements is an uncountable value.
- #38332 – Replace Cheatin’ uh? with friendlier error messages
- #42789 – Readme: Update recommended PHP version to 7.2
- #41242 – Fix image cropping on touchscreen devices
- #42724 – On Media Settings screen, make the pairs of labels and inputs always stacked vertically, on both mobile and desktop screens
- #42968 – Grid view – correct placeholder positioning during uploads
- #43123 – Revert max-width styles on caption shortcodes
- #43201 – Avoid a PHP warning in wp_calculate_image_srcset() if a plugin returns a non-array value via wp_calculate_image_srcset() filter
- #43226 – Correctly allow changing PDF thumbnail crop value
- #43555 – Update Hello Dolly lyrics
Networks and Sites
- #43568 – Use a numbered placeholder in “sprintf()” for the site URL
- #42948 – Backbone client sending empty string in X-WP-Nonce header by default in some cases
- #43266 – Extend custom nonce functionality to collections
- Switch to
wp_safe_redirect()when redirecting the login page when SSL is forced.
- Escape HTML returned from
- #43285 – Loosen the admin referrer policy header value to allow the referring host to be sent from the admin area in all cases
- #42713 – Display partial names in the user listing tables
- #43216 – Add default values to IXR_Message for PHP 7.2 compatibility to avoid PHP Warnings