WordPress 6.0.3 Security Release

On October 17, WordPress 6.0.3 was released. This is a security release, so it is recommended that you update your installations as soon as possible. All versions since WordPress 3.7 have received an update.

WordPress 6.0.3 is a short-cycle release, the next major release is WordPress 6.1, which is scheduled for November 1st.

If your sites have background updates active, the new version may already be online.

The update can be activated manually in the backend under »Dashboard« › »Updates«, and if you want to create a new installation, you can download the WordPress files from de.wordpress.org.

More information about the release is available on the HelpHub page.

Security updates in release

The security team would like to thank the following individuals for their responsible reporting of security vulnerabilities that allowed the following vulnerabilities to be fixed in this release.

  • Saved XSS via wp-mail.php (post via email) – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
  • Open the redirect in wp_nonce_ays – devrayn
  • Sender email address detected at wp-mail.php – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
  • Media Library, Reflected XSS using SQLi – Ben Bidner of the WordPress Security Team and Mark Montpas of Automattic discovered the issue independently
  • CSRF on wp-trackback.php – Simon Scannell
  • Prevented XSS using Customizer – Alex Concha from the WordPress Security Team
  • Revoke shared user instances introduced in 50790 – Alex Koncha and Ben Bidner from the WordPress Security Team
  • Fixed XSS in WordPress Core by Editing Comments – Third Party Security Audit and Alex Koncha from the WordPress Security Team
  • Data exposure using REST terms/tags – than Taintor
  • The contents of several e-mails have been leaked – Thomas Kreftner
  • SQL injection due to insufficient sanitization in WP_Date_Query – Michael Mazzolini
  • RSS widget: Fixed XSS issue – 3rd party security check
  • Saved in XSS Search Block – Alex Koncha from the WP Security Team
  • Featured Image Block: XSS Issue – Third Party Security Audit
  • RSS block: saved XSS issue – 3rd party security check
  • Fix Widget Block XSS – Third Party Security Audit

Thank you

This release was produced by Alex Koncha, Peter Wilson, Jb Audras and Sergey Biryukov. Thanks to Jonathan Desrosiers, Jorge Costa, Bernie Reiter, and Carlos Bravo for helping with package updates.

WordPress 6.0.3 would not be possible without the help of the following people.

Alex Concha, Colin Stewart, Daniel Richards, David Baumwald, Dion Hulse, ehtis, Garth Mortensen, J.b. Audras, John Blackbourn, John James Jacoby, Jonathan Derosier, Jorge Costa, Juliet Reynders Follmer, Lincoln Miyan, martin.krcho, Matias Ventura, Mukesh Panchal, Paul Kevan, Peter Wilson, Robert Anderson, Robin, Sergey Birjukov, Sumit Baghtaria, Teddy Patriarch, Timothy Jacobs, Wortfu and Czeslaw Przyvara.