All versions of WordPress 3.7 onwards have been patched to fix four new security vulnerabilities.
As reported in the security and maintenance release notes for v4.9.1, the following fixes have been implemented in the latest security release:
- Use a properly generated hash for the newbloguser key instead of a determinate substring.
- Add escaping to the language attributes used on html elements.
- Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
If your installation of WordPress is not configured to update automatically for security releases you are advised to upgrade your version of WordPress to this latest version to ensure your website is not exploitable.
Whilst security auto-updates are turned on by default for most installs of WordPress, sometimes developers or hosting companies turn off the updates to ensure there are no conflicts from upgrades with the normal functioning of the site. If you’re not sure whether it’s up to you to install these updates or whether your developer does it for you, best double check.