CVE-2018-6389 (https://nvd.nist.gov/vuln/detail/CVE-2018-6389): In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times. While the CVE text is only about 4.9.2, this vulnerability is still unpatched and therefore present in current 4.9.4 release.
NO longer in tree. Vulnerable versions have been removed.