WordPress 6.4.2 Maintenance & Security Release

WordPress 6.4.2 is now available!

This minor release features 7 bug fixes in Core. The fixes include a bug fix for an issue causing stylesheet and theme directories to sometimes return incorrect results.

This release also features one security fix. Because this is a security release, it is recommended that you update your sites immediately.

You can download WordPress 6.4.2 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”. If you have sites that support automatic background updates, the update process will begin automatically.

WordPress 6.4.2 is a short-cycle release. The next major release will be version 6.5 released in early 2024.

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team addressed the following vulnerability in this release.

  • A Remote Code Execution vulnerability that is not directly exploitable in core, however the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installs.

To help the security team and WordPressers around the world, you are encouraged to responsibly report vulnerabilities. This allows vulnerabilities to be fixed in future releases.

Thank you to these WordPress contributors

This release was led by Aaron Jorbin.

WordPress 6.4.2 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver maintenance and security fixes into a stable release is a testament to the power and capability of the WordPress community.

Aaron Jorbin, Aki Hamano, Akira Tachibana, Alex Concha, Angela Jin, Anton Vlasenko, Barry, bernhard-reiter, Caleb Burks, Corey Worrell, crstauf, Darren Ethier (nerrad), David Baumwald, Dennis Snell, Dion Hulse, Erik, Fabian Todt, Felix Arntz, Héctor Prieto, ironprogrammer, Isabel Brison, Jb Audras, Jeffrey Paul, Jessica Lyschik, Joe McGill, John Blackbourn, Jonathan Desrosiers, Kharis Sulistiyono, Krupal Panchal, Kylen Downs, meta4, Mike Schroder, Mukesh Panchal, partyfrikadelle, Peter Wilson, Pieterjan Deneys, rawrly, rebasaurus, Sergey Biryukov, Tonya Mork, vortfu

How to contribute

To get involved in WordPress core development, head over to Trac, pick a ticket, and join the conversation in the #core. Need help? Check out the Core Contributor Handbook.

As a final reminder, The WordPress Security Team will never email you requesting that you install a plugin or theme on your site, and will never ask for an administrator username and password. Please stay vigilant against phishing attacks.

Thanks to @angelasjin and @desrosj for proofreading.

Alert: WordPress Security Team Impersonation Scams

The WordPress Security Team is aware of multiple ongoing phishing scams impersonating both the “WordPress team” and the “WordPress Security Team“ in an attempt to convince administrators to install a plugin on their website which contains malware.

The WordPress Security Team will never email you requesting that you install a plugin or theme on your site, and will never ask for an administrator username and password.

If you receive an unsolicited email claiming to be from WordPress with instructions similar to those described above, please disregard the emails and indicate that the email is a scam to your email provider.

These emails link to a phishing site that appears to be the WordPress plugin repository on a domain that is not owned by WordPress or an associated entity. Both Patchstack and Wordfence have written articles that go in to further detail.

Official emails from the WordPress project will always:

  • Come from a @wordpress.org or @wordpress.net domain.
  • Should also say “Signed by: wordpress.org” in the email details section.
Screenshot of email sent by a WordPress.org email account. The details include "mailed-by wordpress.org" and "signed-by wordpress.org".

The WordPress Security Team will only communicate with WordPress users in the following locations:

The WordPress Plugin team will never communicate directly with a plugin’s users but may email plugin support staff, owners and contributors. These emails will be sent from plugins@wordpress.org and be signed as indicated above.

The official WordPress plugin repository is located at wordpress.org/plugins with internationalized versions on subdomains, such as fr.wordpress.org/plugins, en-au.wordpress.org/plugins, etc. A subdomain may contain a hyphen, however a dot will always appear before wordpress.org.

A WordPress site’s administrators can also access the plugin repository via the plugins menu in the WordPress dashboard.

As WordPress is the most used CMS, these types of phishing scams will happen occasionally. Please be vigilant for unexpected emails asking you to install a theme, plugin or linking to a login form.

The Scamwatch website has some tips for identifying emails and text messages that are likely to be scams.

As always, if you believe that you have discovered a security vulnerability in WordPress, please follow the project’s Security policies by privately and responsibly disclosing the issue directly to the WordPress Security team through the project’s official HackerOne page.


Thank you Aaron Jorbin, Otto, Dion Hulse, Josepha Haden Chomphosy, and Jonathan Desrosiers for their collaboration on and review of this post.

WordPress 6.3.2 – Maintenance and Security release

This security and maintenance release features 19 bug fixes on Core, 22 bug fixes for the Block Editor, and 8 security fixes.

WordPress 6.3.2 is a short-cycle release. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement. Because this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress releases, 4.1 and later.

The next major release will be version 6.4 planned for 7 November 2023.

If you have sites that support automatic background updates, the update process will begin automatically.

You can download WordPress 6.3.2 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”.

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release:

  • Marc Montpas of Automattic for finding a potential disclosure of user email addresses.
  • Marc Montpas of Automattic for finding an RCE POP Chains vulnerability.
  • Rafie Muhammad and Edouard L of Patchstack along with a WordPress commissioned third-party audit for each independently identifying a XSS issue in the post link navigation block.
  • Jb Audras of the WordPress Security Team and Rafie Muhammad of Patchstack for each independently discovering an issue where comments on private posts could be leaked to other users.
  • John Blackbourn (WordPress Security Team), James Golovich, J.D Grimes, Numan Turle, WhiteCyberSec for each independently identifying a way for logged-in users to execute any shortcode.
  • mascara7784 and a third-party security audit for identifying a XSS vulnerability in the application password screen.
  • Jorge Costa of the WordPress Core Team for identifying XSS vulnerability in the footnotes block.
  • s5s and raouf_maklouf for independently identifying a cache poisoning DoS vulnerability.

Thank you to these WordPress contributors

This release was led by Joe McGill, Aaron Jorbin and Jb Audras, with the help of David Baumwald on mission control.

WordPress 6.3.2 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver maintenance and security fixes into a stable release is a testament to the power and capability of the WordPress community.

Aaron Jorbin, Aki Hamano, Akihiro Harai, Alex Concha, Andrew Ozz, Andy Fragen, Anthony Burchell, Aurooba Ahmed, Ben Dwyer, Carolina Nymark, Colin Stewart, Corey Worrell, Damon Cook, David Biňovec, David E. Smith, Dean Sas, Dennis Snell, Dhruvi Shah, Dion Hulse, Ehtisham S., Felix Arntz, George Mamadashvili, Greg Ziółkowski, Huzaifa Al Mesbah, Isabel Brison, Jb Audras, Joe Hoyle, Joe McGill, John Blackbourn, John James Jacoby, Jonathan Desrosiers, Jonny Harris, Jorge Costa, Justin Tadlock, K. Adam White, Kim Coleman, LarryWEB, Liam Gladdy, Mehedi Hassan, Miguel Fonseca, Mukesh Panchal, Nicole Furlan, Paul Biron, Paul Kevan, Peter Wilson, Pooja N Muchandikar, Rajin Sharwar, Ryan McCue, Sal Ferrarello, Sergey Biryukov, Shail Mehta, Stephen Bernhardt, Teddy Patriarca, Timothy Jacobs, Weston Ruter, Zunaid Amin, ahardyjpl, beryldlg, floydwilde, jastos, martin.krcho, masteradhoc, petitphp, ramonopoly, vortfu, zieladam

How to contribute

To get involved in WordPress core development, head over to Trac, pick a ticket, and join the conversation in the #core and #6-4-release-leads channels. Need help? Check out the Core Contributor Handbook.

Already testing WordPress 6.4? The fourth beta is now available (zip) and it contains these security fixes. For more on 6.4, see the beta 3 announcement post.

Thanks to @jeffpaul, @chanthaboune, @peterwilsoncc and @rawrly for proofreading.

WordPress 6.2.2 Security Release

WordPress 6.2.2 is now available!

The 6.2.2 minor release addresses 1 bug and 1 security issue. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.9 have also been updated.

WordPress 6.2.2 is a rapid response release to address a regression in 6.2.1 and further patch a vulnerability addressed in 6.2.1. The next major release will be version 6.3 planned for August 2023.

The update process will begin automatically if you have sites that support automatic background updates.

You can download WordPress 6.2.2 from WordPress.org or visit your WordPress Dashboard, click “Updates,” and click “Update Now.”

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities and allowing them to be fixed in this release. 

  • Block themes parsing shortcodes in user-generated data; thanks to Liam Gladdy of WP Engine for reporting this issue.

The issue above was originally patched in the 6.2.1 release, but needed further hardening here in 6.2.2. The Core team is thankful for the community in their response to 6.2.1 and collaboration on finding the best path forward for proper resolution in 6.2.2. The folks who worked on 6.2.2 are especially appreciative for everyone’s understanding while they worked asynchronously to get this out the door as quickly as possible.

Thank you to these WordPress contributors

This release was led by Jonathan Desrosiers.

WordPress 6.2.2 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver security fixes into a stable release is a testament to the power and capability of the WordPress community.

Aaron Jorbin, Alex Concha, Anthony Burchell, Chloe Bringmann, chriscct7, Daniel Richards, David Baumwald, Ehtisham S., Greg Ziółkowski, Isabel Brison, Jb Audras, Jeffrey Paul, John Blackbourn, Jonathan Desrosiers, Josepha, Marius L. J., Matias Ventura, Mike Schroder, Peter Wilson, Riad Benguella, Robert Anderson, Ryan McCue, Samuel Wood (Otto), Scott Reilly, and Timothy Jacobs

How to contribute

To get involved in WordPress core development, head over to Trac, pick a ticket, and join the conversation in the #core and #6-3-release-leads channels. Need help? Check out the Core Contributor Handbook.

Thanks to @cbringmann, @davidbaumwald, @chanthaboune, @jeffpaul for proofreading.

WordPress 6.2.1 Maintenance & Security Release

WordPress 6.2.1 is now available!

This minor release features 20 bug fixes in Core and 10 bug fixes for the block editor. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement.

This release also features several security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 4.1 have also been updated.

WordPress 6.2.1 is a short-cycle release. The next major release will be version 6.3 planned for August 2023.

If you have sites that support automatic background updates, the update process will begin automatically.

You can download WordPress 6.2.1 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”.

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release.

  • Block themes parsing shortcodes in user generated data; thanks to Liam Gladdy of WP Engine for reporting this issue
  • A CSRF issue updating attachment thumbnails; reported by John Blackbourn of the WordPress security team
  • A flaw allowing XSS via open embed auto discovery; reported independently by Jakub Żoczek of Securitum and during a third party security audit
  • Bypassing of KSES sanitization in block attributes for low privileged users; discovered during a third party security audit.
  • A path traversal issue via translation files; reported independently by Ramuel Gall & Matt Rusnak at Wordfence, and during a third party security audit.

Thank you to these WordPress contributors

This release was led by Jb Audras, George Mamadashvili, Sergey Biryukov and Peter Wilson.

WordPress 6.2.1 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver maintenance and security fixes into a stable release is a testament to the power and capability of the WordPress community.

Adam Silverstein, Aki Hamano, amin, Andrew Ozz, Andrew Serong, André, Ari Stathopoulos, Birgit Pauli-Haack, Chirag Rathod, Colin Stewart, Daniel Richards, David Baumwald, David Biňovec, Dennis Snell, devshagor, Dhrumil Kumbhani, Dominik Schilling, Ella, George Mamadashvili, Isabel Brison, Jb Audras, Joe Dolson, Joen A., John Blackbourn, Jonathan Desrosiers, JuanMa Garrido, Juliette Reinders Folmer, Kai Hao, Kailey (trepmal), Marc, Marine EVAIN, Matt Wiebe, Mukesh Panchal, nendeb, Nick Diego, nickpap, Nik Tsekouras, Pavan Patil, Peter Wilson, pouicpouic, Riad Benguella, Ryan Welcher, Scott Reilly, Sergey Biryukov, Stephen Bernhardt, tmatsuur, TobiasBg, Tonya Mork, Ugyen Dorji, Weston Ruter, and zieladam.

How to contribute

To get involved in WordPress core development, head over to Trac, pick a ticket, and join the conversation in the #core and #6-3-release-leads channels. Need help? Check out the Core Contributor Handbook.

Thanks to @sergeybiryukov for proofreading.

WordPress 6.0.3 Security Release

WordPress 6.0.3 is now available!

This release features several security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 6.0.3 is a short-cycle release. The next major release will be version 6.1 planned for November 1, 2022.

If you have sites that support automatic background updates, the update process will begin automatically.

You can download WordPress 6.0.3 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”.

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release.

  • Stored XSS via wp-mail.php (post by email) – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
  • Open redirect in `wp_nonce_ays` – devrayn
  • Sender’s email address is exposed in wp-mail.php – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
  • Media Library – Reflected XSS via SQLi – Ben Bidner from the WordPress security team and Marc Montpas from Automattic independently discovered this issue
  • CSRF in wp-trackback.php – Simon Scannell
  • Stored XSS via the Customizer – Alex Concha from the WordPress security team
  • Revert shared user instances introduced in 50790 – Alex Concha and Ben Bidner from the WordPress security team
  • Stored XSS in WordPress Core via Comment Editing – Third-party security audit and Alex Concha from the WordPress security team
  • Data exposure via the REST Terms/Tags Endpoint – Than Taintor
  • Content from multipart emails leaked – Thomas Kräftner
  • SQL Injection due to improper sanitization in `WP_Date_Query` – Michael Mazzolini
  • RSS Widget: Stored XSS issue – Third-party security audit
  • Stored XSS in the search block – Alex Concha of the WP Security team
  • Feature Image Block: XSS issue – Third-party security audit
  • RSS Block: Stored XSS issue – Third-party security audit
  • Fix widget block XSS – Third-party security audit

Thank you to these WordPress contributors

This release was led by Alex Concha, Peter Wilson, Jb Audras, and Sergey Biryukov at mission control. Thanks to Jonathan Desrosiers, Jorge Costa, Bernie Reiter and Carlos Bravo for their help on package updates.

WordPress 6.0.3 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver several fixes into a stable release is a testament to the power and capability of the WordPress community.

Alex Concha, Colin Stewart, Daniel Richards, David Baumwald, Dion Hulse, ehtis, Garth Mortensen, Jb Audras, John Blackbourn, John James Jacoby, Jonathan Desrosiers, Jorge Costa, Juliette Reinders Folmer, Linkon Miyan, martin.krcho, Matias Ventura, Mukesh Panchal, Paul Kevan, Peter Wilson, Robert AndersonRobin, Sergey Biryukov, Sumit Bagthariya, Teddy Patriarca, Timothy Jacobs, vortfu, and Česlav Przywara.

Thanks to @peterwilsoncc for proofreading.

Dropping security updates for WordPress versions 3.7 through 4.0

As of December 1, 2022 the WordPress Security Team will no longer provide security updates for WordPress versions 3.7 through 4.0.

These versions of WordPress were first released eight or more years ago so the vast majority of WordPress installations run a more recent version of WordPress. The chances this will affect your site, or sites, is very small.

If you are unsure if you are running an up-to-date version of WordPress, please log in to your site’s dashboard. Out of date versions of WordPress will display a notice that looks like this:

WordPress update notice: "WordPress 6.0.2 is available! Pleaes update now."

In WordPress versions 3.8 – 4.0, the version you are running is displayed in the bottom of the “At a Glance” section of the dashboard. In WordPress 3.7 this section is titled “Right Now”.

"At a Glance" section of the WordPress dashboard. The final line includes the exact version of WordPress the site is running.

The Make WordPress Security blog has further details about the process to end support.

WordPress 5.9.2 Security and Maintenance Release

WordPress 5.9.2 is now available!

This security and maintenance release features 1 bug fix in addition to 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.9.2 is a security and maintenance release. The next major release will be version 6.0.

You can download WordPress 5.9.2 from WordPress.org, or visit your Dashboard → Updates and click “Update Now”.

If you have sites that support automatic background updates, they’ve already started the update process.

The security team would like to thank the following people for responsively reporting vulnerabilities, allowing them to be fixed in this release:

  • Melar Dev, for finding a Prototype Pollution Vulnerability in a jQuery dependency.
  • Ben Bidner of the WordPress security team, for finding a Stored Cross Site Scripting Vulnerability.

For more information, browse the full list of changes on Trac, or check out the version 5.9.2 HelpHub documentation page.

Thanks and props!

The 5.9.2 release was led by Jb Audras, with the help of Jorge Costa on package updates, Sergey Biryukov on mission control, and David Baumwald on backport commits.

In addition to the release squad members and security researchers mentioned above, thank you to everyone who helped make WordPress 5.9.2 happen:

Alan Jacob Mathew, Alex Concha, André, Anton Vlasenko, David Baumwald, ehtis, Jb Audras, Jorge Costa, Peter Wilson, Sergey Biryukov, Tonya Mork, and ironprogrammer.

Props @davidbaumwald and @sergeybiryukov for peer review.

WordPress 5.8.3 Security Release

This security release features four security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.8.3 is a short-cycle security release. The next major release will be version 5.9, which is already in the Release Candidate stage.

You can update to WordPress 5.8.3 by downloading from WordPress.org or visiting your Dashboard → Updates and clicking Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

Four security issues affect WordPress versions between 3.7 and 5.8. If you haven’t yet updated to 5.8, all WordPress versions since 3.7 have also been updated to fix the following security issue (except where noted otherwise):

  • Props to Karim El Ouerghemmi and Simon Scannell of SonarSource for disclosing an issue with stored XSS through post slugs.
  • Props to Simon Scannell of SonarSource for reporting an issue with Object injection in some multisite installations.
  • Props to ngocnb and khuyenn from GiaoHangTietKiem JSC for working with Trend Micro Zero Day Initiative on reporting a SQL injection vulnerability in WP_Query.
  • Props to Ben Bidner from the WordPress security team for reporting a SQL injection vulnerability in WP_Meta_Query (only relevant to versions 4.1-5.8).

Thank you to all of the reporters above for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked. Thank you to the members of the WordPress security team for implementing these fixes in WordPress.

For more information, check out the 5.8.3 HelpHub documentation page.

Thanks and props!

The 5.8.3 release was led by @desrosj and @circlecube.

In addition to the security researchers and release squad members mentioned above, thank you to everyone who helped make WordPress 5.8.3 happen:

Alex Concha, Dion Hulse, Dominik Schilling, ehtis, Evan Mullins, Jake Spurlock, Jb Audras, Jonathan Desrosiers, Ian Dunn, Peter Wilson, Sergey Biryukov, vortfu, and zieladam.

WordPress 5.8.2 Security and Maintenance Release

WordPress 5.8.2 is now available!

This security and maintenance release features 2 bug fixes in addition to 1 security fix. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.2 have also been updated.

WordPress 5.8.2 is a small focus security and maintenance release. The next major release will be version 5.9.

You can download WordPress 5.8.2 by downloading from WordPress.org, or visit your Dashboard → Updates and click Update Now. If you have sites that support automatic background updates, they’ve already started the update process.

For more information, browse the full list of changes on Trac, or check out the version 5.8.2 HelpHub documentation page.

Thanks and props!

The 5.8.2 release was led by Jonathan Desrosiers and Evan Mullins.

In addition to the release squad members mentioned above, thank you to everyone who helped make WordPress 5.8.2 happen:

Ari Stathopoulos, Bradley Taylor, davidwebca, Evan Mullins, Greg Ziółkowski, Jonathan Desrosiers, Juliette Reinders Folmer, Mukesh Panchal, Sergey Biryukov, shimon246, and Yui.

Props @circlecube and @pbiron for peer review.