{"id":5215,"date":"2017-11-29T20:33:11","date_gmt":"2017-11-29T20:33:11","guid":{"rendered":"https:\/\/wordpress.org\/news\/?p=5215"},"modified":"2022-11-18T22:53:14","modified_gmt":"2022-11-18T22:53:14","slug":"wordpress-4-9-1-security-and-maintenance-release","status":"publish","type":"post","link":"https:\/\/wordpress.org\/news\/2017\/11\/wordpress-4-9-1-security-and-maintenance-release\/","title":{"rendered":"WordPress 4.9.1 Security and Maintenance Release"},"content":{"rendered":"\n

WordPress 4.9.1 is now available. This is a security and maintenance release<\/strong> for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.<\/p>\n\n\n\n

WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack. As part of the core team's ongoing commitment to security hardening, the following fixes have been implemented in 4.9.1:<\/p>\n\n\n\n

    \n
  1. Use a properly generated hash for the newbloguser<\/code> key instead of a determinate substring.<\/li>\n
  2. Add escaping to the language attributes used on html<\/code> elements.<\/li>\n
  3. Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.<\/li>\n
  4. Remove the ability to upload JavaScript files for users who do not have the unfiltered_html<\/code> capability.<\/li>\n<\/ol>\n\n\n\n

    Thank you to the reporters of these issues for practicing responsible security disclosure<\/a>: Rahul Pratap Singh<\/a> and John Blackbourn.<\/p>\n\n\n\n

    Eleven other bugs were fixed in WordPress 4.9.1. Particularly of note were:<\/p>\n\n\n\n