WordPress 6.2.1: A Maintenance and Security Release
WordPress 6.2.1 has been released, and it is a maintenance and security release that includes important fixes for five security vulnerabilities. The release was announced by core contributor and release co-lead Jb Audras, who outlined the security vulnerabilities that have been addressed in this release.
The first vulnerability that has been addressed is related to block themes parsing shortcodes in user-generated data. This vulnerability could have allowed an attacker to execute malicious code on a website by exploiting the way block themes parse shortcodes in user-generated data.
The second vulnerability that has been addressed is related to a CSRF issue updating attachment thumbnails. This vulnerability could have allowed an attacker to execute malicious code on a website by exploiting the way WordPress handles attachment thumbnails.
The third vulnerability that has been addressed is related to a flaw allowing XSS via open embed auto-discovery. This vulnerability could have allowed an attacker to execute malicious code on a website by exploiting the way WordPress handles open embed auto-discovery.
The fourth vulnerability that has been addressed is related to bypassing of KSES sanitization in block attributes for low privileged users. This vulnerability could have allowed an attacker to execute malicious code on a website by exploiting the way WordPress handles KSES sanitization in block attributes for low privileged users.
The fifth vulnerability that has been addressed is related to a path traversal issue via translation files. This vulnerability could have allowed an attacker to execute malicious code on a website by exploiting the way WordPress handles path traversal issues via translation files.
All of these vulnerabilities have been patched in WordPress 6.2.1, and the patches have also been backported to WordPress 4.1. It is recommended that all users update their WordPress installations immediately to ensure that their websites are secure.
In addition to the security fixes, WordPress 6.2.1 also includes 20 core bug fixes and 10 fixes for the block editor. These fixes are detailed with ticket numbers in the release candidate post.
If you have automatic background updates enabled, you should see a notice in your email about the update. Otherwise, you can manually update your WordPress installation by going to the Dashboard > Updates page and clicking on the “Update Now” button.
In conclusion, WordPress 6.2.1 is an important maintenance and security release that addresses five security vulnerabilities and includes several bug fixes. It is recommended that all users update their WordPress installations immediately to ensure that their websites are secure.
