On October 17, 2022, WordPress 6.0.3 was released to the public.
To get this version, update automatically from the Dashboard > Updates menu in your site’s admin area or visit https://wordpress.org/download/release-archive/.
For step-by-step instructions on installing and updating WordPress:
If you are new to WordPress, we recommend that you begin with the following:
- New To WordPress – Where to Start
- First Steps With WordPress or Upgrading WordPress Extended
- WordPress Lessons
The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release.
- Stored XSS via wp-mail.php (post by email) – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
- Open redirect in `wp_nonce_ays` – devrayn
- Sender’s email address is exposed in wp-mail.php – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
- Media Library – Reflected XSS via SQLi – Ben Bidner from the WordPress security team and Marc Montpas from Automattic independently discovered this issue
- CSRF in wp-trackback.php – Simon Scannell
- Stored XSS via the Customizer – Alex Concha from the WordPress security team
- Revert shared user instances introduced in 50790 – Alex Concha and Ben Bidner from the WordPress security team
- Stored XSS in WordPress Core via Comment Editing – Third-party security audit and Alex Concha from the WordPress security team
- Data exposure via the REST Terms/Tags Endpoint – Than Taintor
- Content from multipart emails leaked – Thomas Kräftner
- SQL Injection due to improper sanitization in `WP_Date_Query` – Michael Mazzolini
- RSS Widget: Stored XSS issue – Third-party security audit
- Stored XSS in the search block – Alex Concha of the WP Security team
- Feature Image Block: XSS issue – Third-party security audit
- RSS Block: Stored XSS issue – Third-party security audit
- Fix widget block XSS – Third-party security audit
WordPress 6.0.3 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver several fixes into a stable release is a testament to the power and capability of the WordPress community.
Alex Concha, Colin Stewart, Daniel Richards, David Baumwald, Dion Hulse, ehtis, Garth Mortensen, Jb Audras, John Blackbourn, John James Jacoby, Jonathan Desrosiers, Jorge Costa, Juliette Reinders Folmer, Linkon Miyan, martin.krcho, Matias Ventura, Mukesh Panchal, Paul Kevan, Peter Wilson, Robert AndersonRobin, Sergey Biryukov, Sumit Bagthariya, Teddy Patriarca, Timothy Jacobs, vortfu, and Česlav Przywara.
@wordpress/block-directory: 3.4.15 @wordpress/block-library: 7.3.15 @wordpress/customize-widgets: 3.3.15 @wordpress/edit-post: 6.3.15 @wordpress/edit-site: 4.3.15 @wordpress/edit-widgets: 4.3.15 @wordpress/widgets: 2.4.11
src/wp-admin/about.php src/wp-admin/includes/ajax-actions.php src/wp-admin/includes/post.php src/wp-includes/blocks/legacy-widget.php src/wp-includes/blocks/navigation.php src/wp-includes/blocks/post-featured-image.php src/wp-includes/blocks/rss.php src/wp-includes/blocks/search.php src/wp-includes/blocks/widget-group.php src/wp-includes/class-wp-date-query.php src/wp-includes/class-wp-query.php src/wp-includes/comment.php src/wp-includes/customize/class-wp-customize-header-image-control.php src/wp-includes/customize/class-wp-customize-site-icon-control.php src/wp-includes/deprecated.php src/wp-includes/functions.php src/wp-includes/media-template.php src/wp-includes/pluggable.php src/wp-includes/post.php src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php src/wp-includes/user.php src/wp-includes/version.php src/wp-includes/widgets.php src/wp-mail.php src/wp-trackback.php