WordPress 6.2.1 Released with Fixes for 5 Security Vulnerabilities

WordPress 6.2.1 was released today. Those with automatic background updates enabled should see a notice in their email, as updates rolled out earlier today.

This is a maintenance and security release that includes important fixes for five security vulnerabilities outlined by core contributor and release co-lead Jb Audras:

  • Block themes parsing shortcodes in user generated data
  • A CSRF issue updating attachment thumbnails
  • A flaw allowing XSS via open embed auto discovery
  • Bypassing of KSES sanitization in block attributes for low privileged users
  • A path traversal issue via translation files

The patches were backported to WordPress 4.1. Now that these vulnerabilities are public, it’s recommended that users update immediately.

WordPress 6.2.1 also includes 20 core bug fixes and 10 fixes for the block editor, all detailed with ticket numbers in the release candidate post.


8 responses to “WordPress 6.2.1 Released with Fixes for 5 Security Vulnerabilities”

  1. This is one of those cases where security by obscurity isn’t doing anyone any favors. Removing shortcode functionality should have been communicated much better than a vague bullet point in the release post. Even without disclosing the actual issue, it wouldn’t have been much effort to add an extra paragraph to the main post content calling this out, and the fact nobody thought this change warranted some form of highlight or dev note or whatever is rather concerning to say the least.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.