From the WordPress 4.9.1 release post: WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack. As part of the core team’s ongoing commitment to security hardening, the following fixes have been implemented in 4.9.1:
- Use a properly generated hash for the
newbloguser
key instead of a determinate substring. - Add escaping to the language attributes used on
html
elements. - Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
- Remove the ability to upload JavaScript files for users who do not have the
unfiltered_html
capability.
List of Files Revised
wp-admin/about.php
wp-admin/user-new.php
wp-includes/feed.php
wp-includes/functions.php
wp-includes/general-template.php
wp-includes/version.php
wp-includes/wp-db.php