From the WordPress 4.9.1 release post: WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack. As part of the core team’s ongoing commitment to security hardening, the following fixes have been implemented in 4.9.1:
- Use a properly generated hash for the
newbloguserkey instead of a determinate substring.
- Add escaping to the language attributes used on
- Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
In addition to the security issues above, WordPress 4.9.1 contains 11 bug fixes.
- #42573 – Templates not working properly
- #42673 – Themes page throws console error when there is only one installed theme
- #42574 – MediaElement upgrade causing JS errors when certain languages are in use e.g de_DE-formal
- #42579 – Correct the logic in extract_from_markers()
- #42242 – `lang` attribute in the admin area doesn’t reflect a user’s language setting
- #42454 – Unable to translate codex URL in theme-editor.php
- #42607 – Documentation says “page_attributes_misc_attributes” hook is since 4.8
- #42609 – Regression: WordPress 4.9 theme editor cannot edit files when running on a Windows based server
- #42628 – New function flatten_dirlist in 4.9 does’t play nice with folders with numeric names
- #42641 – On multisite upgrade the wp_blog_versions table doesn’t get updated
- #42634 – Regression: WordPress 4.9 does not parse DB_HOST socket paths with colons correctly