Title: Version 4.9.5
Author: Jb Audras
Published: January 15, 2019

---

# Version 4.9.5

## In this article

 * [Security fixes](https://wordpress.org/documentation/wordpress-version/version-4-9-5/?output_format=md#security-fixes)
 * [Detailed list of maintenance patches](https://wordpress.org/documentation/wordpress-version/version-4-9-5/?output_format=md#detailed-list-of-maintenance-patches)
 * [List of Files Revised](https://wordpress.org/documentation/wordpress-version/version-4-9-5/?output_format=md#list-of-files-revised)

[ Back to top](https://wordpress.org/documentation/wordpress-version/version-4-9-5/?output_format=md#wp--skip-link--target)

From the [WordPress 4.9.5 release post](https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/):
This maintenance release fixes 28 bugs in 4.9, including fixes for Customizer, media
library, error notices, and some security fixes. Twenty Seventeen bundled theme 
and Hello Dolly bundled plugin have also been updated.

## 󠀁[Security fixes](https://wordpress.org/documentation/wordpress-version/version-4-9-5/?output_format=md#security-fixes)󠁿

WordPress versions 4.9.4 and earlier are affected by three security issues. As part
of the core team’s ongoing commitment to security hardening, the following fixes
have been implemented in 4.9.5:

 * Switch to `wp_safe_redirect()` when redirecting the login page when SSL is forced
 * Escape HTML returned from `get_the_generator()`
 * Disallow localhost in `wp_http_validate_url()`

Thank you to the reporters of these issues for practicing responsible security disclosure:
xknown, Nitin Venkatesh (nitstorm), and Garth Mortensen.

## 󠀁[Detailed list of maintenance patches](https://wordpress.org/documentation/wordpress-version/version-4-9-5/?output_format=md#detailed-list-of-maintenance-patches)󠁿

See the full list of closed tickets in Trac: [https://core.trac.wordpress.org/query?status=closed&milestone=4.9.5&group=component](https://core.trac.wordpress.org/query?status=closed&milestone=4.9.5&group=component)

Build/Test Tools

 * [#43190](https://core.trac.wordpress.org/ticket/43190) – Update prefixed CSS 
   properties in `about.css`

Bundled Theme

 * [#43317](https://core.trac.wordpress.org/ticket/43317) – Twenty Seventeen: underline
   links in comments
 * [#43572](https://core.trac.wordpress.org/ticket/43572) – Bundled Themes: Bump
   version number and update changelog in Twenty Seventeen for 4.9.5 release

Comments

 * [#39045](https://core.trac.wordpress.org/ticket/39045) – Remove unnecessary aria-
   required attribute for elements that have required attribute.

Customize

 * [#36884](https://core.trac.wordpress.org/ticket/36884) – In menus: correct oversized
   viewport after dragging menu items
 * [#43307](https://core.trac.wordpress.org/ticket/43307) – Correct closing tags
   in `customize_themes_print_templates()`
 * [#43333](https://core.trac.wordpress.org/ticket/43333) – In menus: reset results
   when closing the ‘add items’ panel.

Filesystem API

 * [#43417](https://core.trac.wordpress.org/ticket/43417) – Avoid an infinite loop
   in `wp_mkdir_p()` when trying to determine the parent folder with `open_basedir`
   restriction in effect.

Formatting

 * [#43312](https://core.trac.wordpress.org/ticket/43312) – Avoid a PHP 7.2 warning
   in `wp_kses_attr()` when one of `$allowedtags` elements is an uncountable value.

General

 * [#38332](https://core.trac.wordpress.org/ticket/38332) – Replace Cheatin’ uh?
   with friendlier error messages
 * [#42789](https://core.trac.wordpress.org/ticket/42789) – Readme: Update recommended
   PHP version to 7.2

Media

 * [#41242](https://core.trac.wordpress.org/ticket/41242) – Fix image cropping on
   touch screen devices
 * [#42724](https://core.trac.wordpress.org/ticket/42724) – On Media Settings screen,
   make the pairs of labels and inputs always stacked vertically, on both mobile
   and desktop screens
 * [#42968](https://core.trac.wordpress.org/ticket/42968) – Grid view – correct 
   placeholder positioning during uploads
 * [#43123](https://core.trac.wordpress.org/ticket/43123) – Revert max-width styles
   on caption shortcodes
 * [#43201](https://core.trac.wordpress.org/ticket/43201) – Avoid a PHP warning 
   in `wp_calculate_image_srcset()` if a plugin returns a non-array value via `wp_calculate_image_srcset()`
   filter
 * [#43226](https://core.trac.wordpress.org/ticket/43226) – Correctly allow changing
   PDF thumbnail crop value

Bundled plugins

 * [#43555](https://core.trac.wordpress.org/ticket/43555) – Update Hello Dolly lyrics

Networks and Sites

 * [#43568](https://core.trac.wordpress.org/ticket/43568) – Use a numbered placeholder
   in `sprintf()` for the site URL

Rest API

 * [#42948](https://core.trac.wordpress.org/ticket/42948) – Backbone client sending
   empty string in X-WP-Nonce header by default in some cases
 * [#43265](https://core.trac.wordpress.org/ticket/43265) – Extend custom nonce 
   functionality to collections
 * [#43266](https://core.trac.wordpress.org/ticket/43266) – REST API JavaScript 
   Client: Support an empty string for nonce to disable sending the X-WP-Nonce header

Security

 * [#43285](https://core.trac.wordpress.org/ticket/43285) – Loosen the admin referrer
   policy header value to allow the referring host to be sent from the admin area
   in all cases

Users

 * [#42713](https://core.trac.wordpress.org/ticket/42713) – Display partial names
   in the user listing tables

XML-RPC

 * [#43216](https://core.trac.wordpress.org/ticket/43216) – Add default values to
   IXR_Message for PHP 7.2 compatibility to avoid PHP Warnings

## 󠀁[List of Files Revised](https://wordpress.org/documentation/wordpress-version/version-4-9-5/?output_format=md#list-of-files-revised)󠁿

    ```wp-block-preformatted
    /readme.html
    /wp-activate.php
    /wp-admin/about.php
    /wp-admin/css/about.css
    /wp-admin/css/common.css
    /wp-admin/css/forms.css
    /wp-admin/css/nav-menus.css
    /wp-admin/custom-header.php
    /wp-admin/customize.php
    /wp-admin/edit-comments.php
    /wp-admin/edit-tags.php
    /wp-admin/edit.php
    /wp-admin/includes/bookmark.php
    /wp-admin/includes/class-wp-ms-users-list-table.php
    /wp-admin/includes/class-wp-users-list-table.php
    /wp-admin/includes/file.php
    /wp-admin/includes/image.php
    /wp-admin/includes/misc.php
    /wp-admin/includes/theme.php
    /wp-admin/js/customize-controls.js
    /wp-admin/js/customize-nav-menus.js
    /wp-admin/js/image-edit.js
    /wp-admin/media-upload.php
    /wp-admin/nav-menus.php
    /wp-admin/network/site-users.php
    /wp-admin/options-media.php
    /wp-admin/options.php
    /wp-admin/post-new.php
    /wp-admin/press-this.php
    /wp-admin/term.php
    /wp-admin/themes.php
    /wp-admin/user-new.php
    /wp-admin/users.php
    /wp-admin/widgets.php
    /wp-content/plugins/hello.php
    /wp-content/themes/twentyseventeen/README.txt
    /wp-content/themes/twentyseventeen/assets/css/colors-dark.css
    /wp-content/themes/twentyseventeen/inc/color-patterns.php
    /wp-content/themes/twentyseventeen/style.css
    /wp-includes/IXR/class-IXR-message.php
    /wp-includes/class-wp-customize-manager.php
    /wp-includes/class-wp-xmlrpc-server.php
    /wp-includes/comment-template.php
    /wp-includes/functions.php
    /wp-includes/general-template.php
    /wp-includes/http.php
    /wp-includes/js/imgareaselect/jquery.imgareaselect.js
    /wp-includes/js/imgareaselect/jquery.imgareaselect.min.js
    /wp-includes/js/media-models.js
    /wp-includes/js/media-views.js
    /wp-includes/js/media/controllers/library.js
    /wp-includes/js/media/models/attachments.js
    /wp-includes/js/wp-ajax-response.js
    /wp-includes/js/wp-api.js
    /wp-includes/kses.php
    /wp-includes/media.php
    /wp-includes/script-loader.php
    /wp-includes/version.php
    /wp-login.php
    ```

First published

January 15, 2019

Last updated