WordPress 6.4.3 was rolled out yesterday featuring two security fixes, 5 bug fixes on Core, and 16 bug fixes for the Block Editor. Given the security nature of this release, WordPress.org strongly advises users to promptly update their sites.
The Two Security Updates
The two security updates in this release tackle vulnerabilities. The first is a PHP File Upload bypass via Plugin Installer, requiring admin privileges. This flaw allows an attacker to upload PHP files through the plugin and theme uploader. The second update addresses the RCE POP Chains vulnerability, enabling the execution of arbitrary code on the server.
Bug Fixes on Core
The release also fixes five bugs in the Core.
- Text not highlighted when editing a page in the latest Chrome Dev and Canary.
- Attachment pages are only disabled for users who are logged in.
- Deprecated print_emoji_styles produced during embed
- wp-login.php: login messages/errors
- Update the default PHP version used in the local Docker Environment for older branches.
This release also includes 16 Block Editor bug fixes, including duotone not showing in site editor style block level styles, block rename control shown in “Advanced” for unsupported blocks, pattern category renaming causing potential duplicate categories and focus loss when resetting background image.
To ensure your WordPress sites are safe, update them immediately. If you have not set your sites to auto update, you can update them from the dashboard manually. Stay secure by keeping your WordPress installation up to date.