WordPress 6.8.3, a security-focused update addressing two vulnerabilities, was released on September 30, 2025. The update addresses a data exposure flaw and a cross-site scripting (XSS) issue.
The release is now available for download via WordPress.org or directly through the WordPress Dashboard. Sites with automatic background updates enabled will update without user intervention. The next major WordPress version, 6.9, is scheduled for December 2, 2025.
The Security Fixes
The WordPress security team confirmed that version 6.8.3 resolves the following vulnerabilities:
- Data Exposure Issue- This flaw, which allowed authenticated users to access restricted content, was fixed. This issue was reported by researchers Mike Nelson, Abu Hurayra, Timothy Jacobs, and Peter Wilson.
- Cross-Site Scripting (XSS) Vulnerability – The vulnerability affecting the nav menus was also patched. The issue was reported by Phill Savage.
The release was coordinated by John Blackbourn, with acknowledgment of the security researchers and contributors who supported the update. Both fixes have also been applied to all older WordPress branches eligible for security support, going back to version 4.7. The team had earlier announced that they would no longer provide updates for WordPress versions 4.1 through 4.6.