WordPress 4.9.1 Security and Maintenance Release

December 2, 2017
WordPress 4.9.1 Security and Maintenance Release
WordPress 4.9.1 is now available. This is a and release for all versions since WordPress 3.7. WordPress versions 4.9 and earlier are affected by 4 issues which could potentially be exploited as part of a multi-vector attack. As part of the core team's ongoing commitment to hardening, the following fixes have been implemented in 4.9.1:

  • Use a properly generated hash for the newbloguser key instead of a determinate substring.
  • Add escaping to the language attributes used on HTML elements.
  • Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
  • Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.

A small number of bugs have been identified which are impactful enough that the core team has decided to release 4.9.1 with fixes for those issues. Particularly of note were:

  • Issues relating to the caching of theme template files.
  • A MediaElement JavaScript error preventing users of certain languages from being able to upload media files.
  • The inability to edit theme and plugin files on Windows-based servers.

Enjoy a headache-free WordPress!

WHY HESITATE? Your business niche won't! Your competition won't! YOUR ATTACKERS WON'T.

The issues that have been fixed are:

  1. #42573: File caching affecting users’ ability to use the plugin and theme file editors.
  2. #42574: MediaElement causing JS errors when certain languages are in use.
  3. #42579: Incorrect logic in extract_from_markers().
  4. #42454: Unable to translate Codex URL in theme editor.
  5. #42609: Theme editor cannot edit files when running on a Windows server.
  6. #42628flatten_dirlist() doesn’t play nice with folders with numeric names.
  7. #42634DB_HOST socket paths with colons not parsed correctly.
  8. #42641: On multisite the wp_blog_versions table doesn’t get updated
  9. #42673: Themes page throws console error when there is only one installed theme.
  10. In addition, one fix for a bug introduced in WordPress 4.7 will be included in 4.9.1:
    • #42242lang attribute in the admin area doesn’t reflect a user’s language setting.

Protect your WordPress!

BEFORE IT'S TOO LATE! You will also your customers, your reputation and your online business.

No comments

Leave a Reply

Your email address will not be published.

WordPress 4.9.1 Security and Maintenance Release

by Csaba Miklós time to read: 4 min