WordPress 6.3.2 is a short-cycle release that fixes 19 bugs in Core, 22 bugs in the Block Editor, and patches 8 security vulnerabilities. For a summary of the maintenance updates, check out the Release Candidate announcement. Since this is a security release, it is highly recommended to update your sites immediately. Backports are also available for older major releases like 4.1 and later.
The next major release will be WordPress 6.4, scheduled for November 7, 2023.
If you have automatic background updates enabled, the update process will start automatically. Otherwise, you can download WordPress 6.3.2 from WordPress.org or go to your WordPress Dashboard, click "Updates", and then click "Update Now".
For more details about this release, visit the HelpHub site.
Special thanks to the following people for responsibly disclosing vulnerabilities so they could be fixed in this release:
– Marc Montpas (Automattic): Potential disclosure of user email addresses
– Marc Montpas (Automattic): RCE POP Chains vulnerability
– Rafie Muhammad (Patchstack) and Edouard L: Independently identified XSS issue in post link navigation block
– Jb Audras (WordPress Security Team) and Rafie Muhammad (Patchstack): Independently discovered leak of comments on private posts to other users
– John Blackbourn (WordPress Security Team) et al: Independently identified way for logged-in users to execute arbitrary shortcodes
– mascara7784 and security audit: XSS vulnerability in application password screen
– Jorge Costa (WordPress Core Team): XSS vulnerability in footnotes block
– s5s and raouf_maklouf: Independently identified cache poisoning DoS vulnerability
Aaron Jorbin, Aki Hamano, Akihiro Harai, Alex Concha, Andrew Ozz, Andy Fragen, Anthony Burchell, Aurooba Ahmed, Ben Dwyer, Carolina Nymark, Colin Stewart, Corey Worrell, Damon Cook, David Biňovec, David E. Smith, Dean Sas, Dennis Snell, Dhruvi Shah, Dion Hulse, Ehtisham S., Felix Arntz, George Mamadashvili, Greg Ziółkowski, Huzaifa Al Mesbah, Isabel Brison, Jb Audras, Joe Hoyle, Joe McGill, John Blackbourn, John James Jacoby, Jonathan Desrosiers, Jonny Harris, Jorge Costa, Justin Tadlock, K. Adam White, Kim Coleman, LarryWEB, Liam Gladdy, Mehedi Hassan, Miguel Fonseca, Mukesh Panchal, Nicole Furlan, Paul Biron, Paul Kevan, Peter Wilson, Pooja N Muchandikar, Rajin Sharwar, Ryan McCue, Sal Ferrarello, Sergey Biryukov, Shail Mehta, Stephen Bernhardt, Teddy Patriarca, Timothy Jacobs, Weston Ruter, Zunaid Amin, ahardyjpl, beryldlg, floydwilde, jastos, martin.krcho, masteradhoc, petitphp, ramonopoly, vortfu, zieladam
This release was led by Joe McGill, Aaron Jorbin, and Jb Audras, with help from David Baumwald on mission control.
WordPress 6.3.2 would not have been possible without contributions from the following people. Their asynchronous coordination to deliver maintenance and security fixes exemplifies the strength of the WordPress community.
To contribute to WordPress Core development, visit Trac, pick a ticket, and join the conversations in the #core and #6-4-release-leads channels. See the Core Contributor Handbook for help getting started.
If you're already testing WordPress 6.4, the fourth beta is now available for download and includes these security fixes. See the beta 3 announcement for more on 6.4.
Proofreading credits to @jeffpaul, @chanthaboune, @peterwilsoncc, and @rawrly.
In summary, this update allows you to update your WordPress sites with important security and maintenance fixes. Feel free to leave any questions in the comments. Let's continue building the open source WordPress community together!