WordPress 4.9.5

Welcome!

The WordPress core development team builds WordPress! Follow this site for general updates, status reports, and the occasional code debate. There’s lots of ways to contribute:

Found a bug? Create a ticket in our bug tracker.
Want to contribute? Get started quickly with our tickets marked as good first bugs for new contributors. There’s more on our reports page, like patches needing testing.
Other questions? We also have a detailed handbook for contributors, complete with tutorials.

WordPress 4.9.5 is now available. This maintenance and security release fixes 28 bugs.

Download WordPress 4.9.5 or visit Dashboard → Updates and click “Update Now”. Sites that support automatic background updates are already beginning to update automatically.

Thank you to everyone who contributed to WordPress 4.9.5:

1265578519, Aaron Jorbin, Adam Silverstein, Alain Schlesser, alexgso, Andrea Fercia, andrei0x309, antipole, Anwer AR, Birgir Erlendsson (birgire), Blair jersyer, Brooke., Chetan Prajapati, codegrau, conner_bw, David A. Kennedy, designsimply, Dion Hulse, Dominik Schilling (ocean90), ElectricFeet, ericmeyer, FPCSJames, Garrett Hyder, Gary Pendergast, Gennady Kovshenin, Henry Wright, Jb Audras, Jeffrey Paul, Jip Moors, Joe McGill, Joen Asmussen, John Blackbourn, johnpgreen, Junaid Ahmed, kristastevens, Konstantin Obenland, Laken Hafner, Lance Willett, leemon, Mel Choyce, Mike Schroder, mrmadhat, nandorsky, Nidhi Jain, Pascal Birchler, qcmiao, Rachel Baker, Rachel Peter, RavanH, Samuel Wood (Otto), Sebastien SERRE, Sergey Biryukov, Shital Marakana, Stephen Edgar, Tammie Lister, Thomas Vitale, Will Kwon, and Yahil Madakiya.

4.9.5 changelog

WordPress versions 4.9.4 and earlier are affected by three security issues. As part of the core team’s ongoing commitment to security hardening, the following fixes have been implemented in 4.9.5:

Switch to wp_safe_redirect() when redirecting the login page when SSL is forced (see related changeset).
Escape HTML returned from get_the_generator() (see related changeset).
Disallow localhost in wp_http_validate_url() (see related changeset).

Thank you to the reporters of these issues for practicing responsible security disclosure: xknown, Nitin Venkatesh (nitstorm), and Garth Mortensen..

See the full list of closed tickets in Trac.

Build/Test Tools

#43190 – Update prefixed CSS properties in about.css

Bundled Theme

#43317 – Twenty Seventeen: underline links in comments
#43572 – Bundled Themes: Bump version number and update changelog in Twenty Seventeen for 4.9.5 release

Comments

#39045 – Remove unnecessary aria-required attribute for elements that have requiredattribute.

Customize

#36884 – In menus: correct oversized viewport after dragging menu items
#43307 – Correct closing tags in customize_themes_print_templates()
#43333 – In menus: reset results when closing the 'add items' panel.

Filesystem API

#43417 – Avoid an infinite loop in wp_mkdir_p() when trying to determine the parent folder with open_basedir restriction in effect.

Formatting

#43312 – Avoid a PHP 7.2 warning in wp_kses_attr() when one of $allowedtags elements is an uncountable value.

General

#38332 – Replace Cheatin’ uh? with friendlier error messages
#42789 – Readme: Update recommended PHP version to 7.2

Media

#41242 – Fix image cropping on touch screen devices
#42724 – On Media Settings screen, make the pairs of labels and inputs always stacked vertically, on both mobile and desktop screens
#42968 – Grid view – correct placeholder positioning during uploads
#43123 – Revert max-width styles on caption shortcodes
#43201 – Avoid a PHP warning in wp_calculate_image_srcset() if a plugin returns a non-array value via wp_calculate_image_srcset() filter
#43226 – Correctly allow changing PDF thumbnail crop value

Bundled plugins

#43555 – Update Hello Dolly lyrics

Networks and Sites

#43568 – Use a numbered placeholder in sprintf() for the site URL

Rest API

#42948 – Backbone client sending empty string in X-WP-Nonce header by default in some cases
#43265 – REST API JavaScript Client: Support an empty string for nonce to disable sending the X-WP-Nonce header
#43266 – Extend custom nonce functionality to collections

Security

Disallow localhost in wp_http_validate_url().
Switch to wp_safe_redirect() when redirecting the login page when SSL is forced.
Escape HTML returned from get_the_generator().
#43285 – Loosen the admin referrer policy header value to allow the referring host to be sent from the admin area in all cases

Users

#42713 – Display partial names in the user listing tables

XML-RPC

#43216 – Add default values to IXR_Message for PHP 7.2 compatibility to avoid PHP Warnings

WordPress.org

Welcome!

Communication

WordPress 4.9.5

4.9.5 changelog

Build/Test Tools

Bundled Theme

Comments

Customize

Filesystem API

Formatting

General

Media

Bundled plugins

Networks and Sites

Rest API

Security

Users

XML-RPC

WordPress.org

Welcome!

Communication

4.9.5 changelog

Build/Test Tools

Bundled Theme

Comments

Customize

Filesystem API

Formatting

General

Media

Bundled plugins

Networks and Sites

Rest API

Security

Users

XML-RPC

Share this: