Upstream announcement: WordPress 6.1 “Misha”

WordPress 6.0.3 Security Release

Security updates included in this release

• Stored XSS via wp-mail.php (post by email) – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
• Open redirect in wp_nonce_ays – devrayn
• Sender’s email address is exposed in wp-mail.php – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
• Media Library – Reflected XSS via SQLi – Ben Bidner from the WordPress security team and Marc Montpas from Automattic independently discovered this issue
• CSRF in wp-trackback.php – Simon Scannell
• Stored XSS via the Customizer – Alex Concha from the WordPress security team
• Revert shared user instances introduced in 50790 – Alex Concha and Ben Bidner from the WordPress security team
• Stored XSS in WordPress Core via Comment Editing – Third-party security audit and Alex Concha from the WordPress security team
• Data exposure via the REST Terms/Tags Endpoint – Than Taintor
• Content from multipart emails leaked – Thomas Kräftner
• SQL Injection due to improper sanitization in WP_Date_Query – Michael Mazzolini
• RSS Widget: Stored XSS issue – Third-party security audit
• Stored XSS in the search block – Alex Concha of the WP Security team
• Feature Image Block: XSS issue – Third-party security audit
• RSS Block: Stored XSS issue – Third-party security audit
• Fix widget block XSS – Third-party security audit