WordPress 4.4.2 is a security fix release and strongly recommended. It fixes two security issues: A possible SSRF (Server Side Request Forgery) for certain local URLs and an open redirection attack. Also 17 bug fixes are included.

Here is an overview of the bug fixes:

• wp_list_comments ignores $comments parameter
• 4.4 Regression on Querying for Comments by Multiple Post Fields
• Comments_clauses filter
• ’networks‘ should be global cache group
• Images with latin extended characters in exif (slovak/czech) are missing thumbnails
• Using libsodium for random bytes breaks plugin update in WP 4.4
• Strange pagination issue on front page after 4.4.1 update
• Customizer should not try to return to the login screen
• Error in SQL syntax search page
• Default URL for emoji images should be always https
• Incorrect comment ordering when comment threading is turned off
• Taxonomies Quick Edit: prevent page reload when submitting
• per_page parameter no longer works in wp_list_comments
• ModSecurity2 blocks Potential Obfuscated Javascript in outbound anomaly
• Incorrect comment pagination when comment threading is turned off
• update_term_cache and deleting object_id
• Button to delete inactive widgets is displayed on inactive sidebars

A more detailed list of changes can you see here.

Don’t forget to keep your WordPress installation up to date and backup before you press the button.