• Hosts are now able to offer a button for their customers to update PHP.
  • The recommended PHP version used from the “Update PHP” notice is now able to be filtered.
  • Several small bug fixes.

You are able to download WordPress 5.1.1 or visit Dashboard → Upgrades and click Update Today . Sites which support automatic background upgrades have started to upgrade.
WordPress 5.1.1 has been a short-cycle maintenance launch. Version 5.1.2 is anticipated to adhere to a similar two week launch cadence.

This release also includes a pair of security fixes that handle how comments are filtered and then stored in the database. Having a maliciously remark, there was a WordPress post exposed to cross-site scripting.

Upgraded versions of WordPress 5.0 and earlier are also available for any consumers who have not yet updated to 5.1.
Highlights of the release include:
WordPress 5.1.1 is now available! This safety and maintenance release presents 14 repairs and enhancements, such as changes designed to help hosts prepare users for the minimal PHP version bump coming in 5.2.

Props to Simon Scannell of RIPS Technologies who discovered this flaw independent of some work that was being performed by members of their security group that is core. Thank you to all the colleagues for privately revealing the vulnerabilities, which gave us time to fix them before WordPress sites could be assaulted.
In addition to this security researcher mentioned previously, thank you to everybody who contributed to WordPress 5.1.1:

You can browse the full list of changes on Trac.
Aaron Jorbin, Alex Concha, Andrea Fercia, Andy Fragen, Anton Vanyukov, Ben Bidner, bulletdigital, David Binovec, Dion Hulse, Felix Arntz, Garrett Hyder, Gary Pendergast, Ian Dunn, Jake Spurlock, Jb Audras, Jeremy Felt, Johan Falk, Jonathan Desrosiers, Luke Carbis, Mike Schroder, Milan Dinić, Mukesh Panchal, Paul Biron, Peter Wilson, Sergey Biryukov, and Weston Ruter.