From the WordPress 4.9.2 release post, WordPress versions 4.9 and earlier are affected by an XSS vulnerability in the Flash fallback files in MediaElement 4.x. The following fixes have been implemented in this release:
- Upgrade: When deleting old files, if deletion fails attempt to empty the file instead. (#42963)
- External Libraries: Remove unnecessary / obsoleted MediaElement.js files. (#42720)
List of Files Revised
wp-admin/about.php
wp-admin/includes/update-core.php
wp-includes/js/mediaelement/flashmediaelement.swf
wp-includes/js/mediaelement/silverlightmediaelement.xap
wp-includes/version.php