From the WordPress 4.9.2 release post: WordPress versions 4.9 and earlier are affected by an XSS vulnerability in the Flash fallback files in MediaElement 4.x. The following fixes have been implemented in this release:
- Upgrade: When deleting old files, if deletion fails attempt to empty the file instead. (#42963)
- External Libraries: Remove unnecessary / obsoleted MediaElement.js files. (#42720)
List of files revised
wp-admin/about.php
wp-admin/includes/update-core.php
wp-includes/js/mediaelement/silverlightmediaelement.xap
wp-includes/js/mediaelement/flashmediaelement.swf
wp-includes/version.php