From the WordPress 4.9.5 release post, WordPress versions 4.9.4 and earlier are affected by three security issues. As part of the core team’s ongoing commitment to security hardening, the following fixes have been implemented:
- Don’t treat localhost as same host by default.
- Use safe redirects when redirecting the login page if SSL is forced.
- Make sure the version string is correctly escaped for use in generator tags.
List of Files Revised
/wp-login.php
/wp-includes/general-template.php
/wp-includes/http.php