WordPress 4.9.5

WordPress 4.9.5 is now available. This maintenance and security release fixes 28 bugs.

Download WordPress 4.9.5 or visit Dashboard → Updates and click “Update Now”. Sites that support automatic background updates are already beginning to update automatically.

Thank you to everyone who contributed to WordPress 4.9.5:

1265578519Aaron JorbinAdam SilversteinAlain SchlesseralexgsoAndrea Ferciaandrei0x309antipoleAnwer ARBirgir Erlendsson (birgire)Blair jersyerBrooke.Chetan Prajapaticodegrauconner_bwDavid A. KennedydesignsimplyDion HulseDominik Schilling (ocean90)ElectricFeetericmeyerFPCSJamesGarrett HyderGary PendergastGennady KovsheninHenry WrightJb AudrasJeffrey PaulJip MoorsJoe McGillJoen AsmussenJohn BlackbournjohnpgreenJunaid AhmedkristastevensKonstantin ObenlandLaken HafnerLance WillettleemonMel ChoyceMike SchrodermrmadhatnandorskyNidhi JainPascal BirchlerqcmiaoRachel BakerRachel PeterRavanHSamuel Wood (Otto)Sebastien SERRESergey BiryukovShital MarakanaStephen EdgarTammie ListerThomas VitaleWill Kwon, and Yahil Madakiya.

4.9.5 changelog

WordPress versions 4.9.4 and earlier are affected by three security issues. As part of the coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. team’s ongoing commitment to security hardening, the following fixes have been implemented in 4.9.5:

  • Switch to wp_safe_redirect() when redirecting the login page when SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions. is forced (see related changeset).
  • Escape HTMLHTML HyperText Markup Language. The semantic scripting language primarily used for outputting content in web browsers. returned from get_the_generator() (see related changeset).
  • Disallow localhost in wp_http_validate_url() (see related changeset).

Thank you to the reporters of these issues for practicing responsible security disclosurexknownNitin Venkatesh (nitstorm), and Garth Mortensen..

See the full list of closed tickets in TracTrac An open source project by Edgewall Software that serves as a bug tracker and project management tool for WordPress..

Build/Test Tools

  • #43190 – Update prefixed CSSCSS Cascading Style Sheets. properties in about.css

Bundled Theme

  • #43317 – Twenty Seventeen: underline links in comments
  • #43572 – Bundled Themes: Bump version number and update changelog in Twenty Seventeen for 4.9.5 release


  • #39045 – Remove unnecessary aria-required attribute for elements that have requiredattribute.


  • #36884 – In menus: correct oversized viewport after dragging menu items
  • #43307 – Correct closing tags in customize_themes_print_templates()
  • #43333 – In menus: reset results when closing the ‘add items’ panel.

Filesystem APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways.

  • #43417 – Avoid an infinite loopLoop The Loop is PHP code used by WordPress to display posts. Using The Loop, WordPress processes each post to be displayed on the current page, and formats it according to how it matches specified criteria within The Loop tags. Any HTML or PHP code in the Loop will be processed on each post. https://codex.wordpress.org/The_Loop. in wp_mkdir_p() when trying to determine the parent folder with open_basedir restriction in effect.


  • #43312 – Avoid a PHPPHP The web scripting language in which WordPress is primarily architected. WordPress requires PHP 5.6.20 or higher 7.2 warning in wp_kses_attr() when one of $allowedtags elements is an uncountable value.


  • #38332 – Replace Cheatin’ uh? with friendlier error messages
  • #42789 – Readme: Update recommended PHP version to 7.2


  • #41242 – Fix image cropping on touch screen devices
  • #42724 – On Media Settings screen, make the pairs of labels and inputs always stacked vertically, on both mobile and desktop screens
  • #42968 – Grid view – correct placeholder positioning during uploads
  • #43123 – Revert max-width styles on caption shortcodes
  • #43201 – Avoid a PHP warning in wp_calculate_image_srcset() if a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party returns a non-array value via wp_calculate_image_srcset() filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output.
  • #43226 – Correctly allow changing PDF thumbnail crop value

Bundled plugins

  • #43555 – Update Hello Dolly lyrics

Networks and Sites

  • #43568 – Use a numbered placeholder in sprintf() for the site URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org

Rest APIREST API The REST API is an acronym for the RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front end of an application (think “phone app” or “website”) can communicate with the data store (think “database” or “file system”) https://developer.wordpress.org/rest-api/.

  • #42948 – Backbone client sending empty string in X-WP-Nonce headerHeader The header of your site is typically the first thing people will experience. The masthead or header art located across the top of your page is part of the look and feel of your website. It can influence a visitor’s opinion about your content and you/ your organization’s brand. It may also look different on different screen sizes. by default in some cases
  • #43265 – REST API JavaScriptJavaScript JavaScript or JS is an object-oriented computer programming language commonly used to create interactive effects within web browsers. WordPress makes extensive use of JS for a better user experience. While PHP is executed on the server, JS executes within a user’s browser. https://www.javascript.com/. Client: Support an empty string for nonce to disable sending the X-WP-Nonce header
  • #43266 – Extend custom nonce functionality to collections


  • Disallow localhost in wp_http_validate_url().
  • Switch to wp_safe_redirect() when redirecting the login page when SSL is forced.
  • Escape HTML returned from get_the_generator().
  • #43285 – Loosen the adminadmin (and super admin) referrer policy header value to allow the referring host to be sent from the admin area in all cases


  • #42713 – Display partial names in the user listing tables


  • #43216 – Add default values to IXR_Message for PHP 7.2 compatibility to avoid PHP Warnings