From the WordPress 4.9.1 release post: WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack. As part of the core team’s ongoing commitment to security hardening, the following fixes have been implemented in 4.9.1:
- Use a properly generated hash for the
newbloguser
key instead of a determinate substring. - Add escaping to the language attributes used on
html
elements. - Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
- Remove the ability to upload JavaScript files for users who do not have the
unfiltered_html
capability.
In addition to the security issues above, WordPress 4.9.1 contains 11 bug fixes.
Detailed Changes
Themes
- #42573 – Templates not working properly
- #42673 – Themes page throws console error when there is only one installed theme
Media
- #42574 – MediaElement upgrade causing JS errors when certain languages are in use e.g de_DE-formal
Rewrite Rules
- #42579 – Correct the logic in extract_from_markers()
Users
- #42242 – `lang` attribute in the admin area doesn’t reflect a user’s language setting
Text Changes
- #42454 – Unable to translate codex URL in theme-editor.php
Posts
- #42607 – Documentation says “page_attributes_misc_attributes” hook is since 4.8
Editor
- #42609 – Regression: WordPress 4.9 theme editor cannot edit files when running on a Windows based server
Upgrade/Install
- #42628 – New function flatten_dirlist in 4.9 does’t play nice with folders with numeric names
- #42641 – On multisite upgrade the wp_blog_versions table doesn’t get updated
Database
- #42634 – Regression: WordPress 4.9 does not parse DB_HOST socket paths with colons correctly
List of Files Revised
wp-admin/about.php
wp-admin/includes/class-wp-upgrader.php
wp-admin/includes/file.php
wp-admin/includes/meta-boxes.php
wp-admin/includes/misc.php
wp-admin/includes/plugin.php
wp-admin/includes/upgrade.php
wp-admin/js/theme.js
wp-admin/js/theme.min.js
wp-admin/theme-editor.php
wp-admin/user-new.php
wp-includes/class-wp-theme.php
wp-includes/feed.php
wp-includes/functions.php
wp-includes/general-template.php
wp-includes/script-loader.php
wp-includes/version.php
wp-includes/wp-db.php