{"id":16122,"date":"2023-10-12T20:44:34","date_gmt":"2023-10-12T20:44:34","guid":{"rendered":"https:\/\/wordpress.org\/news\/?p=16122"},"modified":"2023-10-12T23:06:05","modified_gmt":"2023-10-12T23:06:05","slug":"wordpress-6-3-2-maintenance-and-security-release","status":"publish","type":"post","link":"https:\/\/wordpress.org\/news\/2023\/10\/wordpress-6-3-2-maintenance-and-security-release\/","title":{"rendered":"WordPress 6.3.2 &#8211; Maintenance and Security release"},"content":{"rendered":"\n<p>This security and maintenance release features <a href=\"https:\/\/core.trac.wordpress.org\/query?milestone=6.3.2&amp;group=component&amp;col=id&amp;col=summary&amp;col=milestone&amp;col=owner&amp;col=type&amp;col=status&amp;col=priority&amp;order=priority\">19 bug fixes on Core<\/a>, 22 bug fixes for the Block Editor, and 8 security fixes.<\/p>\n\n\n\n<p>WordPress 6.3.2 is a short-cycle release. You can review a summary of the maintenance updates in this release by reading the <a href=\"https:\/\/make.wordpress.org\/core\/2023\/10\/06\/wordpress-6-3-2-rc1-is-now-available\/\">Release Candidate announcement<\/a>. Because this is a <strong>security release<\/strong>, it is recommended that you update your sites immediately. Backports are also available for other major WordPress releases, 4.1 and later.<\/p>\n\n\n\n<p>The next major release will be <a href=\"https:\/\/make.wordpress.org\/core\/6-4\/\">version 6.4<\/a> planned for 7 November 2023.<\/p>\n\n\n\n<p>If you have sites that support automatic background updates, the update process will begin automatically.<\/p>\n\n\n\n<p>You can <a href=\"https:\/\/wordpress.org\/wordpress-6.3.2.zip\">download WordPress 6.3.2 from WordPress.org<\/a>, or visit your WordPress Dashboard, click \u201cUpdates\u201d, and then click \u201cUpdate Now\u201d.<\/p>\n\n\n\n<p>For more information on this release, please <a href=\"https:\/\/wordpress.org\/support\/wordpress-version\/version-6-3-2\">visit the HelpHub site<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Security updates included in this release<\/h2>\n\n\n\n<p>The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Marc Montpas of Automattic for finding a potential disclosure of user email addresses.<\/li>\n\n\n\n<li>Marc Montpas of Automattic for finding an RCE POP Chains vulnerability.<\/li>\n\n\n\n<li>Rafie Muhammad and Edouard L of <a href=\"https:\/\/patchstack.com\/\">Patchstack<\/a> along with a WordPress commissioned third-party audit for each independently identifying a XSS issue in the post link navigation block.<\/li>\n\n\n\n<li><a href=\"https:\/\/www.linkedin.com\/in\/audrasjb\/\">Jb Audras<\/a> of the WordPress Security Team and Rafie Muhammad of <a href=\"https:\/\/patchstack.com\/\">Patchstack<\/a> for each independently discovering an issue where comments on private posts could be leaked to other users.<\/li>\n\n\n\n<li>John Blackbourn (WordPress Security Team), <a href=\"https:\/\/hackerone.com\/jamesgol?type=user\">James Golovich<\/a>, <a href=\"https:\/\/hackerone.com\/jdgrimes\">J.D Grimes<\/a>, <a href=\"https:\/\/hackerone.com\/numan\">Numan Turle<\/a>, <a href=\"https:\/\/hackerone.com\/whitecybersec?type=user\">WhiteCyberSec<\/a> for each independently identifying a way for logged-in users to execute any shortcode.<\/li>\n\n\n\n<li><a href=\"https:\/\/facebook.com\/zino.abdrahim\">mascara7784<\/a> and a third-party security audit for identifying a XSS vulnerability in the application password screen.<\/li>\n\n\n\n<li><a href=\"https:\/\/profiles.wordpress.org\/jorgefilipecosta\/\">Jorge Costa<\/a> of the WordPress Core Team for identifying XSS vulnerability in the footnotes block.<\/li>\n\n\n\n<li><a href=\"https:\/\/hackerone.com\/s5s\">s5s<\/a> and <a href=\"http:\/\/twitter.com\/Raoufmaklouf\">raouf_maklouf<\/a> for independently identifying a cache poisoning DoS vulnerability.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Thank you to these WordPress contributors<\/h2>\n\n\n\n<p>This release was led by <a href=\"https:\/\/profiles.wordpress.org\/joemcgill\/\">Joe McGill<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/jorbin\/\">Aaron Jorbin<\/a> and <a href=\"https:\/\/profiles.wordpress.org\/audrasjb\">Jb Audras<\/a>, with the help of<a href=\"https:\/\/profiles.wordpress.org\/davidbaumwald\/\"> David Baumwald<\/a> on mission control.<\/p>\n\n\n\n<p>WordPress 6.3.2 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver maintenance and security fixes into a stable release is a testament to the power and capability of the WordPress community.<\/p>\n\n\n\n<p class=\"is-style-wporg-props-long\"><a href=\"https:\/\/profiles.wordpress.org\/jorbin\">Aaron Jorbin<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/wildworks\">Aki Hamano<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/akihiroharai\">Akihiro Harai<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/xknown\">Alex Concha<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/azaozz\">Andrew Ozz<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/afragen\">Andy Fragen<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/antpb\">Anthony Burchell<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/aurooba\">Aurooba Ahmed<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/scruffian\">Ben Dwyer<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/poena\">Carolina Nymark<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/costdev\">Colin Stewart<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/coreyw\">Corey Worrell<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/colorful tones\">Damon Cook<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/david.binda\">David Bi\u0148ovec<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/desmith\">David E. Smith<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/dsas\">Dean Sas<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/dmsnell\">Dennis Snell<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/dhruvishah2203\">Dhruvi Shah<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/dd32\">Dion Hulse<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/ehtis\">Ehtisham S.<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/flixos90\">Felix Arntz<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/Mamaduka\">George Mamadashvili<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/gziolo\">Greg Zi\u00f3\u0142kowski<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/huzaifaalmesbah\">Huzaifa Al Mesbah<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/isabel_brison\">Isabel Brison<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/audrasjb\">Jb Audras<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/joehoyle\">Joe Hoyle<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/joemcgill\">Joe McGill<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/johnbillion\">John Blackbourn<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/johnjamesjacoby\">John James Jacoby<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/desrosj\">Jonathan Desrosiers<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/spacedmonkey\">Jonny Harris<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/jorgefilipecosta\">Jorge Costa<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/greenshady\">Justin Tadlock<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/kadamwhite\">K. Adam White<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/kimannwall\">Kim Coleman<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/lhe2012\">LarryWEB<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/lgladdy\">Liam Gladdy<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/iammehedi1\">Mehedi Hassan<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/mcsf\">Miguel Fonseca<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/mukesh27\">Mukesh Panchal<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/nicolefurlan\">Nicole Furlan<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/pbiron\">Paul Biron<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/paulkevan\">Paul Kevan<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/peterwilsoncc\">Peter Wilson<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/pooja1210\">Pooja N Muchandikar<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/rajinsharwar\">Rajin Sharwar<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/rmccue\">Ryan McCue<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/salcode\">Sal Ferrarello<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/SergeyBiryukov\">Sergey Biryukov<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/shailu25\">Shail Mehta<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/sabernhardt\">Stephen Bernhardt<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/tykoted\">Teddy Patriarca<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/TimothyBlynJacobs\">Timothy Jacobs<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/westonruter\">Weston Ruter<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/zunaid321\">Zunaid Amin<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/ahardyjpl\">ahardyjpl<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/beryldlg\">beryldlg<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/floydwilde\">floydwilde<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/jastos\">jastos<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/martin.krcho\">martin.krcho<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/masteradhoc\">masteradhoc<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/petitphp\">petitphp<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/ramonopoly\">ramonopoly<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/vortfu\">vortfu<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/zieladam\">zieladam<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to contribute<\/h2>\n\n\n\n<p>To get involved in WordPress core development, head over to Trac, <a href=\"https:\/\/core.trac.wordpress.org\/report\/6\">pick a ticket<\/a>, and join the conversation in the <a href=\"https:\/\/wordpress.slack.com\/archives\/C02RQBWTW\">#core<\/a> and <a href=\"https:\/\/wordpress.slack.com\/archives\/C055Y7FKS7N\">#6-4-release-leads channels<\/a>. Need help? Check out the <a href=\"https:\/\/make.wordpress.org\/core\/handbook\/\">Core Contributor Handbook<\/a>.<\/p>\n\n\n\n<p><em>Already testing WordPress 6.4? The fourth beta is now available (<a href=\"https:\/\/wordpress.org\/wordpress-6.4-beta4.zip\">zip<\/a>) and it contains these security fixes. For more on 6.4, see the&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/wordpress.org\/news\/2023\/10\/wordpress-6-4-beta-3\/\" target=\"_blank\">beta 3 announcement post<\/a>.<\/em><\/p>\n\n\n\n<p class=\"has-text-align-right\"><em>Thanks to<em> <a href=\"https:\/\/profiles.wordpress.org\/jeffpaul\/\">@jeffpaul<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/chanthaboune\/\">@chanthaboune<\/a>, <\/em><\/em><a href=\"https:\/\/profiles.wordpress.org\/peterwilsoncc\/\">@peterwilsoncc<\/a><em><em> and <a href=\"https:\/\/profiles.wordpress.org\/rawrly\/\">@rawrly<\/a><\/em> for proofreading.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This security and maintenance release features 19 bug fixes on Core, 22 bug fixes for the Block Editor, and 8 security fixes. WordPress 6.3.2 is a short-cycle release. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement. Because this is a security release, it is recommended [&hellip;]<\/p>\n","protected":false},"author":8670591,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"episode_type":"","audio_file":"","cover_image":"","cover_image_id":"","duration":"","filesize":"","date_recorded":"","explicit":"","block":"","filesize_raw":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[14,15],"tags":[],"class_list":["post-16122","post","type-post","status-publish","format-standard","hentry","category-releases","category-security"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pZhYe-4c2","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts\/16122","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/users\/8670591"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/comments?post=16122"}],"version-history":[{"count":9,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts\/16122\/revisions"}],"predecessor-version":[{"id":16137,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts\/16122\/revisions\/16137"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/media?parent=16122"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/categories?post=16122"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/tags?post=16122"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}