WordPress 4.9.1 Released, Fixes Page Template Bug

WordPress 4.9.1 is available for download and is a maintenance and security release. This release addresses four security issues in WordPress 4.9 and below that could potentially be used as part of a multi-vector attack. According to the release notes, the following changes have been made to WordPress to protect against these vulnerabilities.

  1. Use a properly generated hash for the newbloguser key instead of a determinate substring.
  2. Add escaping to the language attributes used on html elements.
  3. Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
  4. Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.

Rahul Pratap Singh and John Blackbourn are credited with responsibly disclosing the vulnerabilities. In addition to the changes above, 4.9.1 fixes eleven bugs, including the Page Template issue we wrote about last week. Many sites have already updated to 4.9.1 automatically. To see a list of detailed changes, check out this post on Make WordPress Core.

Leave a Reply

Your email address will not be published. Required fields are marked *