Author: Jb Audras

This security and maintenance release features 19 bug fixes on Core, 22 bug fixes for the Block Editor, and 8 security fixes.

WordPress 6.3.2 is a short-cycle release. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement. Because this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress releases, 4.1 and later.

The next major release will be version 6.4 planned for 7 November 2023.

If you have sites that support automatic background updates, the update process will begin automatically.

You can download WordPress 6.3.2 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”.

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release:

• Marc Montpas of Automattic for finding a potential disclosure of user email addresses.
• Marc Montpas of Automattic for finding an RCE POP Chains vulnerability.
• Rafie Muhammad and Edouard L of Patchstack along with a WordPress commissioned third-party audit for each independently identifying a XSS issue in the post link navigation block.
• Jb Audras of the WordPress Security Team and Rafie Muhammad of Patchstack for each independently discovering an issue where comments on private posts could be leaked to other users.
• John Blackbourn (WordPress Security Team), James Golovich, J.D Grimes, Numan Turle, WhiteCyberSec for each independently identifying a way for logged-in users to execute any shortcode.
• mascara7784 and a third-party security audit for identifying a XSS vulnerability in the application password screen.
• Jorge Costa of the WordPress Core Team for identifying XSS vulnerability in the footnotes block.
• s5s and raouf_maklouf for independently identifying a cache poisoning DoS vulnerability.

Thank you to these WordPress contributors

This release was led by Joe McGill, Aaron Jorbin and Jb Audras, with the help of David Baumwald on mission control.

WordPress 6.3.2 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver maintenance and security fixes into a stable release is a testament to the power and capability of the WordPress community.

Aaron Jorbin, Aki Hamano, Akihiro Harai, Alex Concha, Andrew Ozz, Andy Fragen, Anthony Burchell, Aurooba Ahmed, Ben Dwyer, Carolina Nymark, Colin Stewart, Corey Worrell, Damon Cook, David Biňovec, David E. Smith, Dean Sas, Dennis Snell, Dhruvi Shah, Dion Hulse, Ehtisham S., Felix Arntz, George Mamadashvili, Greg Ziółkowski, Huzaifa Al Mesbah, Isabel Brison, Jb Audras, Joe Hoyle, Joe McGill, John Blackbourn, John James Jacoby, Jonathan Desrosiers, Jonny Harris, Jorge Costa, Justin Tadlock, K. Adam White, Kim Coleman, LarryWEB, Liam Gladdy, Mehedi Hassan, Miguel Fonseca, Mukesh Panchal, Nicole Furlan, Paul Biron, Paul Kevan, Peter Wilson, Pooja N Muchandikar, Rajin Sharwar, Ryan McCue, Sal Ferrarello, Sergey Biryukov, Shail Mehta, Stephen Bernhardt, Teddy Patriarca, Timothy Jacobs, Weston Ruter, Zunaid Amin, ahardyjpl, beryldlg, floydwilde, jastos, martin.krcho, masteradhoc, petitphp, ramonopoly, vortfu, zieladam

How to contribute

To get involved in WordPress core development, head over to Trac, pick a ticket, and join the conversation in the #core and #6-4-release-leads channels. Need help? Check out the Core Contributor Handbook.

Already testing WordPress 6.4? The fourth beta is now available (zip) and it contains these security fixes. For more on 6.4, see the beta 3 announcement post.

Thanks to @jeffpaul, @chanthaboune, @peterwilsoncc and @rawrly for proofreading.

WordPress 6.2.1 is now available!

This minor release features 20 bug fixes in Core and 10 bug fixes for the block editor. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement.

This release also features several security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 4.1 have also been updated.

WordPress 6.2.1 is a short-cycle release. The next major release will be version 6.3 planned for August 2023.

If you have sites that support automatic background updates, the update process will begin automatically.

You can download WordPress 6.2.1 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”.

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release.

• Block themes parsing shortcodes in user generated data; thanks to Liam Gladdy of WP Engine for reporting this issue
• A CSRF issue updating attachment thumbnails; reported by John Blackbourn of the WordPress security team
• A flaw allowing XSS via open embed auto discovery; reported independently by Jakub Żoczek of Securitum and during a third party security audit
• Bypassing of KSES sanitization in block attributes for low privileged users; discovered during a third party security audit.
• A path traversal issue via translation files; reported independently by Ramuel Gall & Matt Rusnak at Wordfence, and during a third party security audit.

Thank you to these WordPress contributors

This release was led by Jb Audras, George Mamadashvili, Sergey Biryukov and Peter Wilson.

WordPress 6.2.1 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver maintenance and security fixes into a stable release is a testament to the power and capability of the WordPress community.

Adam Silverstein, Aki Hamano, amin, Andrew Ozz, Andrew Serong, André, Ari Stathopoulos, Birgit Pauli-Haack, Chirag Rathod, Colin Stewart, Daniel Richards, David Baumwald, David Biňovec, Dennis Snell, devshagor, Dhrumil Kumbhani, Dominik Schilling, Ella, George Mamadashvili, Isabel Brison, Jb Audras, Joe Dolson, Joen A., John Blackbourn, Jonathan Desrosiers, JuanMa Garrido, Juliette Reinders Folmer, Kai Hao, Kailey (trepmal), Marc, Marine EVAIN, Matt Wiebe, Mukesh Panchal, nendeb, Nick Diego, nickpap, Nik Tsekouras, Pavan Patil, Peter Wilson, pouicpouic, Riad Benguella, Ryan Welcher, Scott Reilly, Sergey Biryukov, Stephen Bernhardt, tmatsuur, TobiasBg, Tonya Mork, Ugyen Dorji, Weston Ruter, and zieladam.

How to contribute

To get involved in WordPress core development, head over to Trac, pick a ticket, and join the conversation in the #core and #6-3-release-leads channels. Need help? Check out the Core Contributor Handbook.

Thanks to @sergeybiryukov for proofreading.

WordPress 6.0.3 is now available!

This release features several security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 6.0.3 is a short-cycle release. The next major release will be version 6.1 planned for November 1, 2022.

If you have sites that support automatic background updates, the update process will begin automatically.

You can download WordPress 6.0.3 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”.

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release.

• Stored XSS via wp-mail.php (post by email) – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
• Open redirect in `wp_nonce_ays` – devrayn
• Sender’s email address is exposed in wp-mail.php – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
• Media Library – Reflected XSS via SQLi – Ben Bidner from the WordPress security team and Marc Montpas from Automattic independently discovered this issue
• CSRF in wp-trackback.php – Simon Scannell
• Stored XSS via the Customizer – Alex Concha from the WordPress security team
• Revert shared user instances introduced in 50790 – Alex Concha and Ben Bidner from the WordPress security team
• Stored XSS in WordPress Core via Comment Editing – Third-party security audit and Alex Concha from the WordPress security team
• Data exposure via the REST Terms/Tags Endpoint – Than Taintor
• Content from multipart emails leaked – Thomas Kräftner
• SQL Injection due to improper sanitization in `WP_Date_Query` – Michael Mazzolini
• RSS Widget: Stored XSS issue – Third-party security audit
• Stored XSS in the search block – Alex Concha of the WP Security team
• Feature Image Block: XSS issue – Third-party security audit
• RSS Block: Stored XSS issue – Third-party security audit
• Fix widget block XSS – Third-party security audit

Thank you to these WordPress contributors

This release was led by Alex Concha, Peter Wilson, Jb Audras, and Sergey Biryukov at mission control. Thanks to Jonathan Desrosiers, Jorge Costa, Bernie Reiter and Carlos Bravo for their help on package updates.

WordPress 6.0.3 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver several fixes into a stable release is a testament to the power and capability of the WordPress community.

Alex Concha, Colin Stewart, Daniel Richards, David Baumwald, Dion Hulse, ehtis, Garth Mortensen, Jb Audras, John Blackbourn, John James Jacoby, Jonathan Desrosiers, Jorge Costa, Juliette Reinders Folmer, Linkon Miyan, martin.krcho, Matias Ventura, Mukesh Panchal, Paul Kevan, Peter Wilson, Robert AndersonRobin, Sergey Biryukov, Sumit Bagthariya, Teddy Patriarca, Timothy Jacobs, vortfu, and Česlav Przywara.

Thanks to @peterwilsoncc for proofreading.

WordPress 5.3.1 is now available!

This security and maintenance release features 46 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.

WordPress 5.3.1 is a short-cycle maintenance release. The next major release will be version 5.4.

You can download WordPress 5.3.1 by clicking the button at the top of this page, or visit your Dashboard → Updates and click Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Security updates

Four security issues affect WordPress versions 5.3 and earlier; version 5.3.1 fixes them, so you’ll want to upgrade. If you haven’t yet updated to 5.3, there are also updated versions of 5.0 and earlier that fix the security issues.

• Props to Daniel Bachhuber for finding an issue where an unprivileged user could make a post sticky via the REST API.
• Props to Simon Scannell of RIPS Technologies for finding and disclosing an issue where cross-site scripting (XSS) could be stored in well-crafted links.
• Props to the WordPress.org Security Team for hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute.
• Props to Nguyen The Duc for discovering a stored XSS vulnerability using block editor content.

Maintenance updates

Here are a few of the highlights:

• Administration: improvements to admin form controls height and alignment standardization (see related dev note), dashboard widget links accessibility and alternate color scheme readability issues (see related dev note).
• Block editor: fix Edge scrolling issues and intermittent JavaScript issues.
• Bundled themes: add customizer option to show/hide author bio, replace JS based smooth scroll with CSS (see related dev note) and fix Instagram embed CSS.
• Date/time: improve non-GMT dates calculation, fix date format output in specific languages and make get_permalink() more resilient against PHP timezone changes.
• Embeds: remove CollegeHumor oEmbed provider as the service doesn’t exist anymore.
• External libraries: update sodium_compat.
• Site health: allow the remind interval for the admin email verification to be filtered.
• Uploads: avoid thumbnails overwriting other uploads when filename matches, and exclude PNG images from scaling after upload.
• Users: ensure administration email verification uses the user’s locale instead of the site locale.

For more information, browse the full list of changes on Trac or check out the version 5.3.1 HelpHub documentation page.

Thanks!

In addition to the security researchers mentioned above, thank you to everyone who contributed to WordPress 5.3.1:

123host, acosmin, Adam Silverstein, Albert Juhé Lluveras, Alex Concha, Alex Mills, Anantajit JG, Anders Norén, andraganescu, Andrea Fercia, Andrew Duthie, Andrew Ozz, Andrey “Rarst” Savchenko, aravindajith, archon810, Ate Up With Motor, Ayesh Karunaratne, Birgir Erlendsson (birgire), Boga86, Boone Gorges, Carolina Nymark, Chetan Prajapati, Csaba (LittleBigThings), Dademaru, Daniel Bachhuber, Daniele Scasciafratte, Daniel Richards, David Baumwald, David Herrera, Dion hulse, ehtis, Ella van Durpe, epiqueras, Fabian, Felix Arntz, flaviozavan, Garrett Hyder, Glenn, Grzegorz (Greg) Ziółkowski, Grzegorz.Janoszka, Hareesh Pillai, Ian Belanger, ispreview, Jake Spurlock, James Huff, James Koster, Jarret, Jasper van der Meer, Jb Audras, jeichorn, Jer Clarke, Jeremy Felt, Jip Moors, Joe Hoyle, John James Jacoby, Jonathan Desrosiers, Jonny Harris, Joost de Valk, Jorge Costa, Joy, Juliette Reinders Folmer, justdaiv, Kelly Dwan, Kharis Sulistiyono, Kite, kyliesabra, lisota, lukaswaudentio, Maciej Mackowiak, marcelo2605, Marius L. J., Mat Lipe, mayanksonawat, Mel Choyce-Dwan, Michael Arestad, miette49, Miguel Fonseca, mihdan, Mike Auteri, Mikko Saari, Milan Petrovic, Mukesh Panchal, NextScripts, Nick Daugherty, Niels Lange, noyle, Ov3rfly, Paragon Initiative Enterprises, Paul Biron, Peter Wilson, Rachel Peter, Riad Benguella, Ricard Torres, Roland Murg, Ryan McCue, Ryan Welcher, SamuelFernandez, sathyapulse, Scott Taylor, scvleon, Sergey Biryukov, sergiomdgomes, SGr33n, simonjanin, smerriman, steevithak, Stephen Bernhardt, Stephen Edgar, Steve Dufresne, Subrata Mal, Sultan Nasir Uddin, Sybre Waaijer, Tammie Lister, Tanvirul Haque, Tellyworth, timon33, Timothy Jacobs, Timothée Brosille, tmatsuur, Tung Du, Veminom, vortfu, waleedt93, williampatton, wpgurudev, and Zack Tollman.