WordPress 6.4.3 was rolled out yesterday featuring two security fixes, 5 bug fixes on Core, and 16 bug fixes for the Block Editor. Given the security nature of this release, WordPress.org strongly advises users to promptly update their sites.

WordPress 6.4.3 is a short-cycle release led by Sarah Norris, Joe McGill, and Aaron Jorbin.  The next major release is version 6.5 scheduled for 26 March 2024.

The Two Security Updates

The two security updates in this release tackle vulnerabilities. The first is a PHP File Upload bypass via Plugin Installer, requiring admin privileges. This flaw allows an attacker to upload PHP files through the plugin and theme uploader. The second update addresses the RCE POP Chains vulnerability, enabling the execution of arbitrary code on the server.

These were responsibly reported by m4tuto and Sam Thomas.  

Bug Fixes on Core

The release also fixes five bugs in the Core.

• Text not highlighted when editing a page in the latest Chrome Dev and Canary.
• Attachment pages are only disabled for users who are logged in.
• Deprecated print_emoji_styles produced during embed
• wp-login.php: login messages/errors
• Update the default PHP version used in the local Docker Environment for older branches.

This release also includes 16 Block Editor bug fixes, including duotone not showing in site editor style block level styles, block rename control shown in “Advanced” for unsupported blocks, pattern category renaming causing potential duplicate categories and focus loss when resetting background image.

To ensure your WordPress sites are safe, update them immediately. If you have not set your sites to auto update,  you can update them from the dashboard manually. Stay secure by keeping your WordPress installation up to date.