CVE-2017-17094 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17094): wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL. CVE-2017-17093 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17093): wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site. CVE-2017-17092 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17092): wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file. CVE-2017-17091 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17091): wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string.
@Maintainers please let us know when tree is clean. Thank you
Tree is clean: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa224e1e0e8eac0f4b180d0a5a937e29c9387c0d