WordPress 4.9.1 is available for download and is a maintenance and security release. This release addresses four security issues in WordPress 4.9 and below that could potentially be used as part of a multi-vector attack. According to the release notes, the following changes have been made to WordPress to protect against these vulnerabilities.
- Use a properly generated hash for the
newbloguser
key instead of a determinate substring. - Add escaping to the language attributes used on
html
elements. - Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
- Remove the ability to upload JavaScript files for users who do not have the
unfiltered_html
capability.
Rahul Pratap Singh and John Blackbourn are credited with responsibly disclosing the vulnerabilities. In addition to the changes above, 4.9.1 fixes eleven bugs, including the Page Template issue we wrote about last week. Many sites have already updated to 4.9.1 automatically. To see a list of detailed changes, check out this post on Make WordPress Core.