WordPress 4.9.5 is available for download and is a maintenance and security release. WordPress 4.9.4 and earlier versions are affected by three security issues. The following security hardening changes are in 4.9.5.
- Localhost is no longer treated as the same host by default.
- Safe redirects are used when redirecting the login page if SSL is forced.
- Versions strings are correctly escaped for use in generator tags.
Twenty-five bugs are fixed in this release including, improve compatibility with PHP 7.2, previous styles on caption shortcodes are restored, and clearer error messages. To see a full list of changes along with their associated trac tickets, check out the detailed release post.