WordPress 4.9.1 is now available. This is a security and maintenance release for all versions since WordPress 3.7. WordPress versions 4.9 and earlier are affected by 4 security issues which could potentially be exploited as part of a multi-vector attack. As part of the core team's ongoing commitment to security hardening, the following fixes have been implemented in 4.9.1:
- Use a properly generated hash for the newbloguser key instead of a determinate substring.
- Add escaping to the language attributes used on HTML elements.
- Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
A small number of bugs have been identified which are impactful enough that the core team has decided to release 4.9.1 with fixes for those issues. Particularly of note were:
- Issues relating to the caching of theme template files.
- The inability to edit theme and plugin files on Windows-based servers.
The issues that have been fixed are:
- #42573: File caching affecting users’ ability to use the plugin and theme file editors.
- #42574: MediaElement upgrade causing JS errors when certain languages are in use.
- #42579: Incorrect logic in
- #42454: Unable to translate Codex URL in theme editor.
- #42609: Theme editor cannot edit files when running on a Windows server.
flatten_dirlist()doesn’t play nice with folders with numeric names.
DB_HOSTsocket paths with colons not parsed correctly.
- #42641: On multisite upgrade the
wp_blog_versionstable doesn’t get updated
- #42673: Themes page throws console error when there is only one installed theme.
- In addition, one fix for a bug introduced in WordPress 4.7 will be included in 4.9.1:
langattribute in the admin area doesn’t reflect a user’s language setting.