On April 14, 2021, WordPress 4.9.17 was released to the public.
To get this version, update automatically from the Dashboard > Updates menu in your site’s admin area or visit https://wordpress.org/download/release-archive/.
For step-by-step instructions on installing and updating WordPress:
If you are new to WordPress, we recommend that you begin with the following:
- New To WordPress – Where to Start
- First Steps With WordPress or Upgrading WordPress Extended
- WordPress Lessons
Two security issues affect WordPress versions between 4.7 and 5.7. If you haven’t yet updated to 5.7, all WordPress versions since 4.7 have also been updated to fix the following security issues:
- thank you SonarSource for reporting an XXE vulnerability within the media library affecting PHP 8
- thanks Mikael Korpela for reporting a data exposure vulnerability within the latest posts block and REST API
Thank you to all of the reporters for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked.
Props to Adam Zielinski, Pascal Birchler, Peter Wilson, Juliette Reinders Folmer, Alex Concha, Ehtisham Siddiqui, Timothy Jacobs and the WordPress security team for their work on these issues.
The 4.9.17 release was led by @peterwilsoncc and @audrasjb.
List of Files Revised
wp-includes/ID3/getid3.lib.php wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php wp-includes/blocks/latest-posts.php
block-library: 2.9.9 edit-post: 3.8.9 edit-widgets: 0.7.9