Version 4.9.5

From the WordPress 4.9.5 release post: This maintenance release fixes 28 bugs in 4.9, including fixes for Customizer, media library, error notices, and some security fixes. Twenty Seventeen bundled theme and Hello Dolly bundled plugin have also been updated.

Security fixes

WordPress versions 4.9.4 and earlier are affected by three security issues. As part of the core team’s ongoing commitment to security hardening, the following fixes have been implemented in 4.9.5:

  • Switch to `wp_safe_redirect()` when redirecting the login page when SSL is forced
  • Escape HTML returned from `get_the_generator()`
  • Disallow localhost in `wp_http_validate_url()`

Thank you to the reporters of these issues for practicing responsible security disclosure: xknown, Nitin Venkatesh (nitstorm), and Garth Mortensen.

Detailed list of maintenance patches

See the full list of closed tickets in Trac:

Build/Test Tools

  • #43190 – Update prefixed CSS properties in `about.css`

Bundled Theme

  • #43317 – Twenty Seventeen: underline links in comments
  • #43572 – Bundled Themes: Bump version number and update changelog in Twenty Seventeen for 4.9.5 release


  • #39045 – Remove unnecessary aria-required attribute for elements that have required attribute.


  • #36884 – In menus: correct oversized viewport after dragging menu items
  • #43307 – Correct closing tags in `customize_themes_print_templates()`
  • #43333 – In menus: reset results when closing the ‘add items’ panel.

Filesystem API

  • #43417 – Avoid an infinite loop in `wp_mkdir_p()` when trying to determine the parent folder with `open_basedir` restriction in effect.


  • #43312 – Avoid a PHP 7.2 warning in `wp_kses_attr()` when one of `$allowedtags` elements is an uncountable value.


  • #38332 – Replace Cheatin’ uh? with friendlier error messages
  • #42789 – Readme: Update recommended PHP version to 7.2


  • #41242 – Fix image cropping on touch screen devices
  • #42724 – On Media Settings screen, make the pairs of labels and inputs always stacked vertically, on both mobile and desktop screens
  • #42968 – Grid view – correct placeholder positioning during uploads
  • #43123 – Revert max-width styles on caption shortcodes
  • #43201 – Avoid a PHP warning in `wp_calculate_image_srcset()` if a plugin returns a non-array value via `wp_calculate_image_srcset()` filter
  • #43226 – Correctly allow changing PDF thumbnail crop value

Bundled plugins

  • #43555 – Update Hello Dolly lyrics

Networks and Sites

  • #43568 – Use a numbered placeholder in `sprintf()` for the site URL

Rest API

  • #42948 – Backbone client sending empty string in X-WP-Nonce header by default in some cases
  • #43265 – Extend custom nonce functionality to collections
  • #43266 – REST API JavaScript Client: Support an empty string for nonce to disable sending the X-WP-Nonce header


  • #43285 – Loosen the admin referrer policy header value to allow the referring host to be sent from the admin area in all cases


  • #42713 – Display partial names in the user listing tables


  • #43216 – Add default values to IXR_Message for PHP 7.2 compatibility to avoid PHP Warnings

List of Files Revised


First published

Last updated