This release features several security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 6.0.3 is a short-cycle release. The next major release will be version 6.1 planned for November 1, 2022.

If you have sites that support automatic background updates, the update process will begin automatically.

You can download WordPress 6.0.3 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”.

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release.

• Stored XSS via wp-mail.php (post by email) – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
• Open redirect in `wp_nonce_ays` – devrayn
• Sender’s email address is exposed in wp-mail.php – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
• Media Library – Reflected XSS via SQLi – Ben Bidner from the WordPress security team and Marc Montpas from Automattic independently discovered this issue
• CSRF in wp-trackback.php – Simon Scannell
• Stored XSS via the Customizer – Alex Concha from the WordPress security team
• Revert shared user instances introduced in 50790 – Alex Concha and Ben Bidner from the WordPress security team
• Stored XSS in WordPress Core via Comment Editing – Third-party security audit and Alex Concha from the WordPress security team
• Data exposure via the REST Terms/Tags Endpoint – Than Taintor
• Content from multipart emails leaked – Thomas Kräftner
• SQL Injection due to improper sanitization in `WP_Date_Query` – Michael Mazzolini
• RSS Widget: Stored XSS issue – Third-party security audit
• Stored XSS in the search block – Alex Concha of the WP Security team
• Feature Image Block: XSS issue – Third-party security audit
• RSS Block: Stored XSS issue – Third-party security audit
• Fix widget block XSS – Third-party security audit

Thank you to these WordPress contributors

This release was led by Alex Concha, Peter Wilson, Jb Audras, and Sergey Biryukov at mission control. Thanks to Jonathan Desrosiers, Jorge Costa, Bernie Reiter and Carlos Bravo for their help on package updates.

WordPress 6.0.3 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver several fixes into a stable release is a testament to the power and capability of the WordPress community.

Alex Concha, Colin Stewart, Daniel Richards, David Baumwald, Dion Hulse, ehtis, Garth Mortensen, Jb Audras, John Blackbourn, John James Jacoby, Jonathan Desrosiers, Jorge Costa, Juliette Reinders Folmer, Linkon Miyan, martin.krcho, Matias Ventura, Mukesh Panchal, Paul Kevan, Peter Wilson, Robert AndersonRobin, Sergey Biryukov, Sumit Bagthariya, Teddy Patriarca, Timothy Jacobs, vortfu, and Česlav Przywara.

Thanks to @peterwilsoncc for proofreading.

These versions of WordPress were first released eight or more years ago so the vast majority of WordPress installations run a more recent version of WordPress. The chances this will affect your site, or sites, is very small.

If you are unsure if you are running an up-to-date version of WordPress, please log in to your site’s dashboard. Out of date versions of WordPress will display a notice that looks like this:

In WordPress versions 3.8 – 4.0, the version you are running is displayed in the bottom of the “At a Glance” section of the dashboard. In WordPress 3.7 this section is titled “Right Now”.

The Make WordPress Security blog has further details about the process to end support.

This security and maintenance release features 12 bug fixes on Core, 5 bug fixes for the Block Editor, and 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 6.0.2 is a short-cycle release. You can review a summary of the main updates in this release by reading the RC1 announcement.

The next major release will be version 6.1 planned for November 1, 2022.

If you have sites that support automatic background updates, the update process will begin automatically.

You can download WordPress 6.0.2 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”.

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release:

• Fariskhi Vidyan for finding a possible SQL injection within the Link API.
• Khalilov Moe for finding an XSS vulnerability on the Plugins screen.
• John Blackbourn of the WordPress security team, for finding an output escaping issue within the_meta().

Thank you to these WordPress contributors

The WordPress 6.0.2 release was led by @sergeybiryukov and @gziolo.

WordPress 6.0.2 would not have been possible without the contributions of more than 50 people. Their asynchronous coordination to deliver several enhancements and fixes into a stable release is a testament to the power and capability of the WordPress community.

Alex Concha, Andrei Draganescu, annezazu, Anton Vlasenko, Ari Stathopoulos, Ben Dwyer, Carolina Nymark, Colin Stewart, Darren Coutts, Dilip Bheda, Dion Hulse, eMKey, Fabian Kägy, George Mamadashvili, Greg Ziółkowski, huubl, ironprogrammer, Jb Audras, John Blackbourn, Jonathan Desrosiers, jonmackintosh, Jonny Harris, Kelly Choyce-Dwan, Lena Morita, Linkon Miyan, Lovro Hrust, marybaum, Nick Diego, Nik Tsekouras, Olga Gleckler, Pascal Birchler, paulkevan, Peter Wilson, Sergey Biryukov, Stephen Bernhardt, Teddy Patriarca, Timothy Jacobs, tommusrhodus, Tomoki Shimomura, Tonya Mork, webcommsat AbhaNonStopNewsUK, and zieladam.

This security and maintenance release features 1 bug fix in addition to 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.9.2 is a security and maintenance release. The next major release will be version 6.0.

You can download WordPress 5.9.2 from WordPress.org, or visit your Dashboard → Updates and click “Update Now”.

If you have sites that support automatic background updates, they’ve already started the update process.

The security team would like to thank the following people for responsively reporting vulnerabilities, allowing them to be fixed in this release:

• Melar Dev, for finding a Prototype Pollution Vulnerability in a jQuery dependency
• Ben Bidner of the WordPress security team, for finding a Stored Cross Site Scripting Vulnerability
• Researchers from Johns Hopkins University, for finding a Prototype Pollution Vulnerability in the block editor

For more information, browse the full list of changes on Trac, or check out the version 5.9.2 HelpHub documentation page.

Thanks and props!

The 5.9.2 release was led by Jb Audras, with the help of Jorge Costa on package updates, Sergey Biryukov on mission control, and David Baumwald on backport commits.

In addition to the release squad members and security researchers mentioned above, thank you to everyone who helped make WordPress 5.9.2 happen:

Alan Jacob Mathew, Alex Concha, André, Anton Vlasenko, David Baumwald, ehtis, Jb Audras, Jorge Costa, Peter Wilson, Sergey Biryukov, Tonya Mork, and ironprogrammer.

Props @davidbaumwald and @sergeybiryukov for peer review.

WordPress 5.8.3 is a short-cycle security release. The next major release will be version 5.9, which is already in the Release Candidate stage.

You can update to WordPress 5.8.3 by downloading from WordPress.org or visiting your Dashboard → Updates and clicking Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

Four security issues affect WordPress versions between 3.7 and 5.8. If you haven’t yet updated to 5.8, all WordPress versions since 3.7 have also been updated to fix the following security issue (except where noted otherwise):

• Props to Karim El Ouerghemmi and Simon Scannell of SonarSource for disclosing an issue with stored XSS through post slugs.
• Props to Simon Scannell of SonarSource for reporting an issue with Object injection in some multisite installations.
• Props to ngocnb and khuyenn from GiaoHangTietKiem JSC for working with Trend Micro Zero Day Initiative on reporting a SQL injection vulnerability in WP_Query.
• Props to Ben Bidner from the WordPress security team for reporting a SQL injection vulnerability in WP_Meta_Query (only relevant to versions 4.1-5.8).

Thank you to all of the reporters above for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked. Thank you to the members of the WordPress security team for implementing these fixes in WordPress.

For more information, check out the 5.8.3 HelpHub documentation page.

Thanks and props!

The 5.8.3 release was led by @desrosj and @circlecube.

In addition to the security researchers and release squad members mentioned above, thank you to everyone who helped make WordPress 5.8.3 happen:

Alex Concha, Dion Hulse, Dominik Schilling, ehtis, Evan Mullins, Jake Spurlock, Jb Audras, Jonathan Desrosiers, Ian Dunn, Peter Wilson, Sergey Biryukov, vortfu, and zieladam.

This security and maintenance release features 2 bug fixes in addition to 1 security fix. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.2 have also been updated.

WordPress 5.8.2 is a small focus security and maintenance release. The next major release will be version 5.9.

You can download WordPress 5.8.2 by downloading from WordPress.org, or visit your Dashboard → Updates and click Update Now. If you have sites that support automatic background updates, they’ve already started the update process.

For more information, browse the full list of changes on Trac, or check out the version 5.8.2 HelpHub documentation page.

Thanks and props!

The 5.8.2 release was led by Jonathan Desrosiers and Evan Mullins.

In addition to the release squad members mentioned above, thank you to everyone who helped make WordPress 5.8.2 happen:

Props @circlecube and @pbiron for peer review.

This security and maintenance release features 60 bug fixes in addition to 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.4 have also been updated.

WordPress 5.8.1 is a short-cycle security and maintenance release. The next major release will be version 5.9.

You can download WordPress 5.8.1 by downloading from WordPress.org, or visit your Dashboard → Updates and click Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

3 security issues affect WordPress versions between 5.4 and 5.8. If you haven’t yet updated to 5.8, all WordPress versions since 5.4 have also been updated to fix the following security issues:

• Props @mdawaffe, member of the WordPress Security Team for their work fixing a data exposure vulnerability within the REST API.
• Props to Michał Bentkowski of Securitum for reporting a XSS vulnerability in the block editor.
• The Lodash library has been updated to version 4.17.21 in each branch to incorporate upstream security fixes.

In addition to these issues, the security team would like to thank the following people for reporting vulnerabilities during the WordPress 5.8 beta testing period, allowing them to be fixed prior to release:

• Props Evan Ricafort for reporting a XSS vulnerability in the block editor discovered during the 5.8 release’s beta period.
• Props Steve Henty for reporting a privilege escalation issue in the block editor.

Thank you to all of the reporters for privately disclosing the vulnerabilities. This gave the WordPress security team time to fix the vulnerabilities before WordPress sites could be attacked.

For more information, browse the full list of changes on Trac, or check out the version 5.8.1 HelpHub documentation page.

Thanks and props!

The 5.8.1 release was led by Jonathan Desrosiers and Evan Mullins.

In addition to the security researchers and release squad members mentioned above, thank you to everyone who helped make WordPress 5.8.1 happen:

This security release features one security fix. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.7.2 is a short-cycle security release. The next major release will be version 5.8.

You can update to WordPress 5.7.2 by downloading from WordPress.org, or visit your Dashboard → Updates and click Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

One security issue affecting WordPress versions between 3.7 and 5.7. If you haven’t yet updated to 5.7, all WordPress versions since 3.7 have also been updated to fix the following security issue:

• Object injection in PHPMailer, CVE-2020-36326 and CVE-2018-19296.

Thank you to the members of the WordPress security team for implementing these fixes in WordPress.

For more information refer to the version 5.7.2 HelpHub documentation page.

Thanks and props!

The 5.7.2 release was led by @peterwilsoncc and @audrasjb.

Thank you to everyone who helped make WordPress 5.7.2 happen: @audrasjb, @ayeshrajans, @desrosj, @dd32, @peterwilsoncc, @SergeyBiryukov, and @xknown.

This security and maintenance release features 26 bug fixes in addition to two security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 4.7 have also been updated.

WordPress 5.7.1 is a short-cycle security and maintenance release. The next major release will be version 5.8.

You can download WordPress 5.7.1 by downloading from WordPress.org, or visit your Dashboard → Updates and click Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

Two security issues affect WordPress versions between 4.7 and 5.7. If you haven’t yet updated to 5.7, all WordPress versions since 4.7 have also been updated to fix the following security issues:

• Thank you SonarSource for reporting an XXE vulnerability within the media library affecting PHP 8.
• Thanks Mikael Korpela for reporting a data exposure vulnerability within the REST API.

Thank you to all of the reporters for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked.

Props to Adam Zielinski, Pascal Birchler, Peter Wilson, Juliette Reinders Folmer, Alex Concha, Ehtisham Siddiqui, Timothy Jacobs and the WordPress security team for their work on these issues.

For more information, browse the full list of changes on Trac, or check out the version 5.7.1 HelpHub documentation page.

Thanks and props!

The 5.7.1 release was led by @peterwilsoncc and @audrasjb.

In addition to the security researchers and release squad members mentioned above, thank you to everyone who helped make WordPress 5.7.1 happen:

99w, Adam Silverstein, Andrew Ozz, annalamprou, anotherdave, Ari Stathopoulos, Ayesh Karunaratne, bobbingwide, Brecht, Daniel Richards, David Baumwald, dkoo, Dominik Schilling, dragongate, eatsleepcode, Ella van Durpe, Erik, Fabian Pimminger, Felix Arntz, Florian TIAR, gab81, Gal Baras, Geoffrey, George Mamadashvili, Glen Davies, Greg Ziółkowski, grzim, Ipstenu (Mika Epstein), Jake Spurlock, Jayman Pandya, Jb Audras, Joen A., Johan Jonk Stenström, Johannes Kinast, John Blackbourn, John James Jacoby, Jonathan Desrosiers, Josee Wouters, Joy, k3nsai, Kelly Choyce-Dwan, Kerry Liu, Marius L. J., Mel Choyce-Dwan, Mikhail Kobzarev, mmuyskens, Mukesh Panchal, nicegamer7, Otshelnik-Fm, Paal Joachim Romdahl, palmiak, Pascal Birchler, Peter Wilson, pwallner, Rachel Baker, Riad Benguella, Rinat Khaziev, Robert Anderson, Roger Theriault, Sergey Biryukov, Sergey Yakimov, SirStuey, stefanjoebstl, Stephen Bernhardt, Sumit Singh, Sybre Waaijer, Synchro, Terri Ann, tigertech, Timothy Jacobs, tmatsuur, TobiasBg, Tonya Mork, Toru Miki, Ulrich, and Vlad T.

This security and maintenance release features 23 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.

These bugs affect WordPress versions 5.4.1 and earlier; version 5.4.2 fixes them, so you’ll want to upgrade.

If you haven’t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the bugs for you.

Security Updates

WordPress versions 5.4 and earlier are affected by the following bugs, which are fixed in version 5.4.2. If you haven’t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the security issues.

• Props to Sam Thomas (jazzy2fives) for finding an XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor.
• Props to Luigi – (gubello.me) for discovering an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files.
• Props to Ben Bidner of the WordPress Security Team for finding an open redirect issue in wp_validate_redirect().
• Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme uploads.
• Props to Simon Scannell of RIPS Technologies for finding an issue where set-screen-option can be misused by plugins leading to privilege escalation.
• Props to Carolina Nymark for discovering an issue where comments from password-protected posts and pages could be displayed under certain conditions.

Thank you to all of the reporters for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked.

One maintenance update was also deployed to versions 5.1, 5.2 and 5.3. See the related developer note for more information.

You can browse the full list of changes on Trac.

For more info, browse the full list of changes on Trac or check out the Version 5.4.2 documentation page.

WordPress 5.4.2 is a short-cycle maintenance release. The next major release will be version 5.5.

You can download WordPress 5.4.2 from the button at the top of this page, or visit your Dashboard → Updates and click Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Thanks and props!

In addition to the security researchers mentioned above, thank you to everyone who helped make WordPress 5.4.2 happen:

Andrea Fercia, argentite, M Asif Rahman, Jb Audras, Ayesh Karunaratne, bdcstr, Delowar Hossain, Rob Migchels, donmhico, Ehtisham Siddiqui, Emilie LEBRUN, finomeno, garethgillman, Giorgio25b, Gabriel Maldonado, Hector F, Ian Belanger, Aaron Jorbin, Mathieu Viet, Javier Casares, Joe McGill, jonkolbert, Jono Alderson, Joy, Tammie Lister, Kjell Reigstad, KT, markusthiel, Mayank Majeji, Mel Choyce-Dwan, mislavjuric, Mukesh Panchal, Nikhil Bhansi, oakesjosh, Dominik Schilling, Arslan Ahmed, Peter Wilson, Carolina Nymark, Stephen Bernhardt, Sam Fullalove, Alain Schlesser, Sergey Biryukov, skarabeq, Daniel Richards, Toni Viemerö, suzylah, Timothy Jacobs, TeBenachi, Jake Spurlock and yuhin.