WordPress 6.5.2 was rolled out on April 09, 2024 primarily to address a critical security concern related to cross-site scripting (XSS) vulnerability affecting the Avatar block type. The issue was reported by John Blackbourn of the WordPress security team and assisted by Mat Rollings. The patch has been retroactively applied to WordPress versions 6.0 and above.
Wordfence reports that this vulnerability โcould be exploited by both unauthenticated users, when a comment block is present on a page, and by authenticated users who have access to the block editor such as contributors.โ They have categorized this vulnerability as “High,” assigning it a CVSS (Common Vulnerability Scoring System) Score of 7.2.
Other Updates
This security release also includes 2 bug fixes on Core and 12 bug fixes for the Block Editor. The Core bug fixes include RecursiveDirectoryIterator triggering E_WARNING errors in New Relic and font_dir filter producing an infinite loop when wp_get_upload_dir() is used in the filter callback.
WordPress 6.5.1
WordPress 6.5.2 is the first minor release for WordPress 6.5 as WordPress 6.5.1 was not released due to an error with the initial package. WordPress Core Committer Aaron Jorbin shared that โWhen the tag for 6.5.1 was created on the WordPress build server, it was created from a previous revision of the 6.5 branch. As tags are treated as immutable, this meant that WordPress 6.5.1 could not be released.โ Both the Core and Systems teams are implementing measures to prevent such occurrences in the future.
As this is a security release, the WordPress team recommends that you update your sites immediately. The next major release WordPress 6.6 is expected on 16 July 2024.