WordPress 4.9.5 is now available. This maintenance and security release fixes 28 bugs.
Download WordPress 4.9.5 or visit Dashboard → Updates and click “Update Now”. Sites that support automatic background updates are already beginning to update automatically.
Thank you to everyone who contributed to WordPress 4.9.5:
1265578519, Aaron Jorbin, Adam Silverstein, Alain Schlesser, alexgso, Andrea Fercia, andrei0x309, antipole, Anwer AR, Birgir Erlendsson (birgire), Blair jersyer, Brooke., Chetan Prajapati, codegrau, conner_bw, David A. Kennedy, designsimply, Dion Hulse, Dominik Schilling (ocean90), ElectricFeet, ericmeyer, FPCSJames, Garrett Hyder, Gary Pendergast, Gennady Kovshenin, Henry Wright, Jb Audras, Jeffrey Paul, Jip Moors, Joe McGill, Joen Asmussen, John Blackbourn, johnpgreen, Junaid Ahmed, kristastevens, Konstantin Obenland, Laken Hafner, Lance Willett, leemon, Mel Choyce, Mike Schroder, mrmadhat, nandorsky, Nidhi Jain, Pascal Birchler, qcmiao, Rachel Baker, Rachel Peter, RavanH, Samuel Wood (Otto), Sebastien SERRE, Sergey Biryukov, Shital Marakana, Stephen Edgar, Tammie Lister, Thomas Vitale, Will Kwon, and Yahil Madakiya.
WordPress versions 4.9.4 and earlier are affected by three security issues. As part of the core Core is the set of software required to run WordPress. The Core Development Team builds WordPress. team’s ongoing commitment to security hardening, the following fixes have been implemented in 4.9.5:
- Switch to
wp_safe_redirect() when redirecting the login page when SSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions. is forced (see related changeset).
- Escape HTML HyperText Markup Language. The semantic scripting language primarily used for outputting content in web browsers. returned from
get_the_generator() (see related changeset).
wp_http_validate_url() (see related changeset).
Thank you to the reporters of these issues for practicing responsible security disclosure: xknown, Nitin Venkatesh (nitstorm), and Garth Mortensen..
See the full list of closed tickets in Trac An open source project by Edgewall Software that serves as a bug tracker and project management tool for WordPress..
- #43190 – Update prefixed CSS Cascading Style Sheets. properties in about.css
- #43317 – Twenty Seventeen: underline links in comments
- #43572 – Bundled Themes: Bump version number and update changelog in Twenty Seventeen for 4.9.5 release
- #39045 – Remove unnecessary aria-required attribute for elements that have requiredattribute.
- #36884 – In menus: correct oversized viewport after dragging menu items
- #43307 – Correct closing tags in customize_themes_print_templates()
- #43333 – In menus: reset results when closing the ‘add items’ panel.
Filesystem API An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways.
- #43417 – Avoid an infinite loop The Loop is PHP code used by WordPress to display posts. Using The Loop, WordPress processes each post to be displayed on the current page, and formats it according to how it matches specified criteria within The Loop tags. Any HTML or PHP code in the Loop will be processed on each post. https://codex.wordpress.org/The_Loop. in wp_mkdir_p() when trying to determine the parent folder with open_basedir restriction in effect.
- #43312 – Avoid a PHP The web scripting language in which WordPress is primarily architected. WordPress requires PHP 5.6.20 or higher 7.2 warning in wp_kses_attr() when one of $allowedtags elements is an uncountable value.
- #38332 – Replace Cheatin’ uh? with friendlier error messages
- #42789 – Readme: Update recommended PHP version to 7.2
- #41242 – Fix image cropping on touch screen devices
- #42724 – On Media Settings screen, make the pairs of labels and inputs always stacked vertically, on both mobile and desktop screens
- #42968 – Grid view – correct placeholder positioning during uploads
- #43123 – Revert max-width styles on caption shortcodes
- #43201 – Avoid a PHP warning in wp_calculate_image_srcset() if a plugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party returns a non-array value via wp_calculate_image_srcset() filter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output.
- #43226 – Correctly allow changing PDF thumbnail crop value
- #43555 – Update Hello Dolly lyrics
Networks and Sites
- #43568 – Use a numbered placeholder in sprintf() for the site URL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org
Rest API The REST API is an acronym for the RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front end of an application (think “phone app” or “website”) can communicate with the data store (think “database” or “file system”) https://developer.wordpress.org/rest-api/.
- #42948 – Backbone client sending empty string in X-WP-Nonce header The header of your site is typically the first thing people will experience. The masthead or header art located across the top of your page is part of the look and feel of your website. It can influence a visitor’s opinion about your content and you/ your organization’s brand. It may also look different on different screen sizes. by default in some cases
- #43266 – Extend custom nonce functionality to collections
- Switch to
wp_safe_redirect() when redirecting the login page when SSL is forced.
- Escape HTML returned from
- #43285 – Loosen the admin (and super admin) referrer policy header value to allow the referring host to be sent from the admin area in all cases
- #42713 – Display partial names in the user listing tables
- #43216 – Add default values to IXR_Message for PHP 7.2 compatibility to avoid PHP Warnings