Because this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress releases, 4.1 and later.

You can download WordPress 6.4.3 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”. If you have sites that support automatic background updates, the update process will begin automatically.

WordPress 6.4.3 is a short-cycle release. The next major release will be version 6.5 planned for 26 March 2024. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement. For further information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release:

• m4tuto for finding a PHP File Upload bypass via Plugin Installer (requiring admin privileges).
• @_s_n_t of @pentestltd working with Trend Micro Zero Day Initiative for finding an RCE POP Chains vulnerability.

Thank you to these WordPress contributors

This release was led by Sarah Norris, Joe McGill, and Aaron Jorbin.

WordPress 6.4.3 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver maintenance and security fixes into a stable release is a testament to the power and capability of the WordPress community.

Aki Hamano, Alex Concha, Alex Lende, Alex Stine, Andrea Fercia, Andrei Draganescu, Andrew Ozz, Andrew Serong, Andy Fragen, Ari Stathopoulos, Artemio Morales, ben, bobbingwide, Carlos Bravo, Carolina Nymark, Česlav Przywara, Colin Stewart, Daniel Käfer, Daniel Richards, Dominik Schilling, Ella, Erik, George Mamadashvili, Greg Ziółkowski, Isabel Brison, Joen A., John Blackbourn, Jonathan Desrosiers, joppuyo, Lax Mariappan, luisherranz, Markus, Michal Czaplinski, Mukesh Panchal, Nik Tsekouras, Niluthpal Purkayastha, Noah Allen, Pascal Birchler, Peter Wilson, ramonopoly, Riad Benguella, Sergey Biryukov, Stephen Bernhardt, Teddy Patriarca, Tonya Mork

How to contribute

To get involved in WordPress core development, head over to Trac, pick a ticket, and join the conversation in the #core and #6-5-release-leads channels. Need help? Check out the Core Contributor Handbook.

As a final reminder, The WordPress Security Team will never email you requesting that you install a plugin or theme on your site, and will never ask for an administrator username and password. Please stay vigilant against phishing attacks.

Thanks to Angela Jin, Ehtisham S., Jb Audras, and Marius L. J. for proofreading.

This minor release features 7 bug fixes in Core. The fixes include a bug fix for an issue causing stylesheet and theme directories to sometimes return incorrect results.

This release also features one security fix. Because this is a security release, it is recommended that you update your sites immediately.

You can download WordPress 6.4.2 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”. If you have sites that support automatic background updates, the update process will begin automatically.

WordPress 6.4.2 is a short-cycle release. The next major release will be version 6.5 released in early 2024.

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team addressed the following vulnerability in this release.

• A Remote Code Execution vulnerability that is not directly exploitable in core, however the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installs.

To help the security team and WordPressers around the world, you are encouraged to responsibly report vulnerabilities. This allows vulnerabilities to be fixed in future releases.

Thank you to these WordPress contributors

This release was led by Aaron Jorbin.

WordPress 6.4.2 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver maintenance and security fixes into a stable release is a testament to the power and capability of the WordPress community.

Aaron Jorbin, Aki Hamano, Akira Tachibana, Alex Concha, Angela Jin, Anton Vlasenko, Barry, bernhard-reiter, Caleb Burks, Corey Worrell, crstauf, Darren Ethier (nerrad), David Baumwald, Dennis Snell, Dion Hulse, Erik, Fabian Todt, Felix Arntz, Héctor Prieto, ironprogrammer, Isabel Brison, Jb Audras, Jeffrey Paul, Jessica Lyschik, Joe McGill, John Blackbourn, Jonathan Desrosiers, Kharis Sulistiyono, Krupal Panchal, Kylen Downs, meta4, Mike Schroder, Mukesh Panchal, partyfrikadelle, Peter Wilson, Pieterjan Deneys, rawrly, rebasaurus, Sergey Biryukov, Tonya Mork, vortfu

How to contribute

To get involved in WordPress core development, head over to Trac, pick a ticket, and join the conversation in the #core. Need help? Check out the Core Contributor Handbook.

As a final reminder, The WordPress Security Team will never email you requesting that you install a plugin or theme on your site, and will never ask for an administrator username and password. Please stay vigilant against phishing attacks.

Thanks to @angelasjin and @desrosj for proofreading.

The WordPress Security Team will never email you requesting that you install a plugin or theme on your site, and will never ask for an administrator username and password.

If you receive an unsolicited email claiming to be from WordPress with instructions similar to those described above, please disregard the emails and indicate that the email is a scam to your email provider.

These emails link to a phishing site that appears to be the WordPress plugin repository on a domain that is not owned by WordPress or an associated entity. Both Patchstack and Wordfence have written articles that go in to further detail.

Official emails from the WordPress project will always:

• Come from a @wordpress.org or @wordpress.net domain.
• Should also say “Signed by: wordpress.org” in the email details section.

The WordPress Security Team will only communicate with WordPress users in the following locations:

• the Making WordPress Secure blog at make.wordpress.org/security
• the main WordPress News site at wordpress.org/news

The WordPress Plugin team will never communicate directly with a plugin’s users but may email plugin support staff, owners and contributors. These emails will be sent from plugins@wordpress.org and be signed as indicated above.

The official WordPress plugin repository is located at wordpress.org/plugins with internationalized versions on subdomains, such as fr.wordpress.org/plugins, en-au.wordpress.org/plugins, etc. A subdomain may contain a hyphen, however a dot will always appear before wordpress.org.

A WordPress site’s administrators can also access the plugin repository via the plugins menu in the WordPress dashboard.

As WordPress is the most used CMS, these types of phishing scams will happen occasionally. Please be vigilant for unexpected emails asking you to install a theme, plugin or linking to a login form.

The Scamwatch website has some tips for identifying emails and text messages that are likely to be scams.

As always, if you believe that you have discovered a security vulnerability in WordPress, please follow the project’s Security policies by privately and responsibly disclosing the issue directly to the WordPress Security team through the project’s official HackerOne page.

Thank you Aaron Jorbin, Otto, Dion Hulse, Josepha Haden Chomphosy, and Jonathan Desrosiers for their collaboration on and review of this post.

WordPress 6.3.2 is a short-cycle release. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement. Because this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress releases, 4.1 and later.

The next major release will be version 6.4 planned for 7 November 2023.

If you have sites that support automatic background updates, the update process will begin automatically.

You can download WordPress 6.3.2 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”.

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release:

• Marc Montpas of Automattic for finding a potential disclosure of user email addresses.
• Marc Montpas of Automattic for finding an RCE POP Chains vulnerability.
• Rafie Muhammad and Edouard L of Patchstack along with a WordPress commissioned third-party audit for each independently identifying a XSS issue in the post link navigation block.
• Jb Audras of the WordPress Security Team and Rafie Muhammad of Patchstack for each independently discovering an issue where comments on private posts could be leaked to other users.
• John Blackbourn (WordPress Security Team), James Golovich, J.D Grimes, Numan Turle, WhiteCyberSec for each independently identifying a way for logged-in users to execute any shortcode.
• mascara7784 and a third-party security audit for identifying a XSS vulnerability in the application password screen.
• Jorge Costa of the WordPress Core Team for identifying XSS vulnerability in the footnotes block.
• s5s and raouf_maklouf for independently identifying a cache poisoning DoS vulnerability.

Thank you to these WordPress contributors

This release was led by Joe McGill, Aaron Jorbin and Jb Audras, with the help of David Baumwald on mission control.

WordPress 6.3.2 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver maintenance and security fixes into a stable release is a testament to the power and capability of the WordPress community.

Aaron Jorbin, Aki Hamano, Akihiro Harai, Alex Concha, Andrew Ozz, Andy Fragen, Anthony Burchell, Aurooba Ahmed, Ben Dwyer, Carolina Nymark, Colin Stewart, Corey Worrell, Damon Cook, David Biňovec, David E. Smith, Dean Sas, Dennis Snell, Dhruvi Shah, Dion Hulse, Ehtisham S., Felix Arntz, George Mamadashvili, Greg Ziółkowski, Huzaifa Al Mesbah, Isabel Brison, Jb Audras, Joe Hoyle, Joe McGill, John Blackbourn, John James Jacoby, Jonathan Desrosiers, Jonny Harris, Jorge Costa, Justin Tadlock, K. Adam White, Kim Coleman, LarryWEB, Liam Gladdy, Mehedi Hassan, Miguel Fonseca, Mukesh Panchal, Nicole Furlan, Paul Biron, Paul Kevan, Peter Wilson, Pooja N Muchandikar, Rajin Sharwar, Ryan McCue, Sal Ferrarello, Sergey Biryukov, Shail Mehta, Stephen Bernhardt, Teddy Patriarca, Timothy Jacobs, Weston Ruter, Zunaid Amin, ahardyjpl, beryldlg, floydwilde, jastos, martin.krcho, masteradhoc, petitphp, ramonopoly, vortfu, zieladam

How to contribute

To get involved in WordPress core development, head over to Trac, pick a ticket, and join the conversation in the #core and #6-4-release-leads channels. Need help? Check out the Core Contributor Handbook.

Already testing WordPress 6.4? The fourth beta is now available (zip) and it contains these security fixes. For more on 6.4, see the beta 3 announcement post.

Thanks to @jeffpaul, @chanthaboune, @peterwilsoncc and @rawrly for proofreading.

The 6.2.2 minor release addresses 1 bug and 1 security issue. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.9 have also been updated.

WordPress 6.2.2 is a rapid response release to address a regression in 6.2.1 and further patch a vulnerability addressed in 6.2.1. The next major release will be version 6.3 planned for August 2023.

The update process will begin automatically if you have sites that support automatic background updates.

You can download WordPress 6.2.2 from WordPress.org or visit your WordPress Dashboard, click “Updates,” and click “Update Now.”

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities and allowing them to be fixed in this release. 

• Block themes parsing shortcodes in user-generated data; thanks to Liam Gladdy of WP Engine for reporting this issue.

The issue above was originally patched in the 6.2.1 release, but needed further hardening here in 6.2.2. The Core team is thankful for the community in their response to 6.2.1 and collaboration on finding the best path forward for proper resolution in 6.2.2. The folks who worked on 6.2.2 are especially appreciative for everyone’s understanding while they worked asynchronously to get this out the door as quickly as possible.

Thank you to these WordPress contributors

This release was led by Jonathan Desrosiers.

WordPress 6.2.2 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver security fixes into a stable release is a testament to the power and capability of the WordPress community.

Aaron Jorbin, Alex Concha, Anthony Burchell, Chloé Bringmann, chriscct7, Daniel Richards, David Baumwald, Ehtisham S., Greg Ziółkowski, Héctor Prieto, Isabel Brison, Jb Audras, Jeffrey Paul, John Blackbourn, Jonathan Desrosiers, Josepha, Marius L. J., Matias Ventura, Mike Schroder, Peter Wilson, Riad Benguella, Robert Anderson, Ryan McCue, Samuel Wood (Otto), Scott Reilly, and Timothy Jacobs

How to contribute

To get involved in WordPress core development, head over to Trac, pick a ticket, and join the conversation in the #core and #6-3-release-leads channels. Need help? Check out the Core Contributor Handbook.

Thanks to @cbringmann, @davidbaumwald, @chanthaboune, @jeffpaul for proofreading.

This minor release features 20 bug fixes in Core and 10 bug fixes for the block editor. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement.

This release also features several security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 4.1 have also been updated.

WordPress 6.2.1 is a short-cycle release. The next major release will be version 6.3 planned for August 2023.

If you have sites that support automatic background updates, the update process will begin automatically.

You can download WordPress 6.2.1 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”.

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release.

• Block themes parsing shortcodes in user generated data; thanks to Liam Gladdy of WP Engine for reporting this issue
• A CSRF issue updating attachment thumbnails; reported by John Blackbourn of the WordPress security team
• A flaw allowing XSS via open embed auto discovery; reported independently by Jakub Żoczek of Securitum and during a third party security audit
• Bypassing of KSES sanitization in block attributes for low privileged users; discovered during a third party security audit.
• A path traversal issue via translation files; reported independently by Ramuel Gall & Matt Rusnak at Wordfence, and during a third party security audit.

Thank you to these WordPress contributors

This release was led by Jb Audras, George Mamadashvili, Sergey Biryukov and Peter Wilson.

WordPress 6.2.1 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver maintenance and security fixes into a stable release is a testament to the power and capability of the WordPress community.

Adam Silverstein, Aki Hamano, amin, Andrew Ozz, Andrew Serong, André, Ari Stathopoulos, Birgit Pauli-Haack, Chirag Rathod, Colin Stewart, Daniel Richards, David Baumwald, David Biňovec, Dennis Snell, devshagor, Dhrumil Kumbhani, Dominik Schilling, Ella, George Mamadashvili, Isabel Brison, Jb Audras, Joe Dolson, Joen A., John Blackbourn, Jonathan Desrosiers, JuanMa Garrido, Juliette Reinders Folmer, Kai Hao, Kailey (trepmal), Marc, Marine EVAIN, Matt Wiebe, Mukesh Panchal, nendeb, Nick Diego, nickpap, Nik Tsekouras, Pavan Patil, Peter Wilson, pouicpouic, Riad Benguella, Ryan Welcher, Scott Reilly, Sergey Biryukov, Stephen Bernhardt, tmatsuur, TobiasBg, Tonya Mork, Ugyen Dorji, Weston Ruter, and zieladam.

How to contribute

To get involved in WordPress core development, head over to Trac, pick a ticket, and join the conversation in the #core and #6-3-release-leads channels. Need help? Check out the Core Contributor Handbook.

Thanks to @sergeybiryukov for proofreading.

This release features several security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 6.0.3 is a short-cycle release. The next major release will be version 6.1 planned for November 1, 2022.

If you have sites that support automatic background updates, the update process will begin automatically.

You can download WordPress 6.0.3 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”.

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release.

• Stored XSS via wp-mail.php (post by email) – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
• Open redirect in `wp_nonce_ays` – devrayn
• Sender’s email address is exposed in wp-mail.php – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
• Media Library – Reflected XSS via SQLi – Ben Bidner from the WordPress security team and Marc Montpas from Automattic independently discovered this issue
• CSRF in wp-trackback.php – Simon Scannell
• Stored XSS via the Customizer – Alex Concha from the WordPress security team
• Revert shared user instances introduced in 50790 – Alex Concha and Ben Bidner from the WordPress security team
• Stored XSS in WordPress Core via Comment Editing – Third-party security audit and Alex Concha from the WordPress security team
• Data exposure via the REST Terms/Tags Endpoint – Than Taintor
• Content from multipart emails leaked – Thomas Kräftner
• SQL Injection due to improper sanitization in `WP_Date_Query` – Michael Mazzolini
• RSS Widget: Stored XSS issue – Third-party security audit
• Stored XSS in the search block – Alex Concha of the WP Security team
• Feature Image Block: XSS issue – Third-party security audit
• RSS Block: Stored XSS issue – Third-party security audit
• Fix widget block XSS – Third-party security audit

Thank you to these WordPress contributors

This release was led by Alex Concha, Peter Wilson, Jb Audras, and Sergey Biryukov at mission control. Thanks to Jonathan Desrosiers, Jorge Costa, Bernie Reiter and Carlos Bravo for their help on package updates.

WordPress 6.0.3 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver several fixes into a stable release is a testament to the power and capability of the WordPress community.

Alex Concha, Colin Stewart, Daniel Richards, David Baumwald, Dion Hulse, ehtis, Garth Mortensen, Jb Audras, John Blackbourn, John James Jacoby, Jonathan Desrosiers, Jorge Costa, Juliette Reinders Folmer, Linkon Miyan, martin.krcho, Matias Ventura, Mukesh Panchal, Paul Kevan, Peter Wilson, Robert AndersonRobin, Sergey Biryukov, Sumit Bagthariya, Teddy Patriarca, Timothy Jacobs, vortfu, and Česlav Przywara.

Thanks to @peterwilsoncc for proofreading.

These versions of WordPress were first released eight or more years ago so the vast majority of WordPress installations run a more recent version of WordPress. The chances this will affect your site, or sites, is very small.

If you are unsure if you are running an up-to-date version of WordPress, please log in to your site’s dashboard. Out of date versions of WordPress will display a notice that looks like this:

In WordPress versions 3.8 – 4.0, the version you are running is displayed in the bottom of the “At a Glance” section of the dashboard. In WordPress 3.7 this section is titled “Right Now”.

The Make WordPress Security blog has further details about the process to end support.

This security and maintenance release features 12 bug fixes on Core, 5 bug fixes for the Block Editor, and 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 6.0.2 is a short-cycle release. You can review a summary of the main updates in this release by reading the RC1 announcement.

The next major release will be version 6.1 planned for November 1, 2022.

If you have sites that support automatic background updates, the update process will begin automatically.

You can download WordPress 6.0.2 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”.

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release:

• Fariskhi Vidyan for finding a possible SQL injection within the Link API.
• Khalilov Moe for finding an XSS vulnerability on the Plugins screen.
• John Blackbourn of the WordPress security team, for finding an output escaping issue within the_meta().

Thank you to these WordPress contributors

The WordPress 6.0.2 release was led by @sergeybiryukov and @gziolo.

WordPress 6.0.2 would not have been possible without the contributions of more than 50 people. Their asynchronous coordination to deliver several enhancements and fixes into a stable release is a testament to the power and capability of the WordPress community.

Alex Concha, Andrei Draganescu, annezazu, Anton Vlasenko, Ari Stathopoulos, Ben Dwyer, Carolina Nymark, Colin Stewart, Darren Coutts, Dilip Bheda, Dion Hulse, eMKey, Fabian Kägy, George Mamadashvili, Greg Ziółkowski, huubl, ironprogrammer, Jb Audras, John Blackbourn, Jonathan Desrosiers, jonmackintosh, Jonny Harris, Kelly Choyce-Dwan, Lena Morita, Linkon Miyan, Lovro Hrust, marybaum, Nick Diego, Nik Tsekouras, Olga Gleckler, Pascal Birchler, paulkevan, Peter Wilson, Sergey Biryukov, Stephen Bernhardt, Teddy Patriarca, Timothy Jacobs, tommusrhodus, Tomoki Shimomura, Tonya Mork, webcommsat AbhaNonStopNewsUK, and zieladam.

This security and maintenance release features 1 bug fix in addition to 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.9.2 is a security and maintenance release. The next major release will be version 6.0.

You can download WordPress 5.9.2 from WordPress.org, or visit your Dashboard → Updates and click “Update Now”.

If you have sites that support automatic background updates, they’ve already started the update process.

The security team would like to thank the following people for responsively reporting vulnerabilities, allowing them to be fixed in this release:

• Melar Dev, for finding a Prototype Pollution Vulnerability in a jQuery dependency
• Ben Bidner of the WordPress security team, for finding a Stored Cross Site Scripting Vulnerability
• Researchers from Johns Hopkins University, for finding a Prototype Pollution Vulnerability in the block editor

For more information, browse the full list of changes on Trac, or check out the version 5.9.2 HelpHub documentation page.

Thanks and props!

The 5.9.2 release was led by Jb Audras, with the help of Jorge Costa on package updates, Sergey Biryukov on mission control, and David Baumwald on backport commits.

In addition to the release squad members and security researchers mentioned above, thank you to everyone who helped make WordPress 5.9.2 happen:

Alan Jacob Mathew, Alex Concha, André, Anton Vlasenko, David Baumwald, ehtis, Jb Audras, Jorge Costa, Peter Wilson, Sergey Biryukov, Tonya Mork, and ironprogrammer.

Props @davidbaumwald and @sergeybiryukov for peer review.