From the WordPress 4.9.7 release post, WordPress versions 4.9.6 and earlier are affected by one security issue. As part of the core team’s ongoing commitment to security hardening, the following security and maintenance fixes have been implemented:
- WordPress versions 4.9.6 and earlier are affected by a file deletion issue where a user with the capability to edit and delete media files could potentially manipulate media metadata to attempt to delete files outside the uploads directory.
- Taxonomy: Improve cache handling for term queries.
- Posts, Post Types: Clear post password cookie when logging out.
- Widgets: Allow basic HTML tags in sidebar descriptions on Widgets admin screen.
- Community Events Dashboard: Always show the nearest WordCamp if one is coming up, even if there are multiple Meetups happening first.
- Privacy: Make sure default privacy policy content does not cause a fatal error when flushing rewrite rules outside of the admin context.
List of Files Revised
wp-includes/functions.php
wp-includes/post.php