WordPress 6.2.1 was released today. Those with automatic background updates enabled should see a notice in their email, as updates rolled out earlier today.

This is a maintenance and security release that includes important fixes for five security vulnerabilities outlined by core contributor and release co-lead Jb Audras:

  • Block themes parsing shortcodes in user generated data
  • A CSRF issue updating attachment thumbnails
  • A flaw allowing XSS via open embed auto discovery
  • Bypassing of KSES sanitization in block attributes for low privileged users
  • A path traversal issue via translation files

The patches were backported to WordPress 4.1. Now that these vulnerabilities are public, it’s recommended that users update immediately.

WordPress 6.2.1 also includes 20 core bug fixes and 10 fixes for the block editor, all detailed with ticket numbers in the release candidate post.