tag:github.com,2008:https://github.com/roots/wordpress/releasesRelease notes from wordpress2026-03-13T16:21:23Ztag:github.com,2008:Repository/160979913/5.2.242026-03-13T16:51:35ZVersion 5.2.24<p><em>Version notes available on <a href="https://wordpress.org/documentation/wordpress-version/version-5-2-24/" rel="nofollow">WordPress.org Documentation</a>.</em></p>wordpress-packager[bot]tag:github.com,2008:Repository/160979913/5.1.222026-03-13T16:51:35ZVersion 5.1.22<p><em>Version notes available on <a href="https://wordpress.org/documentation/wordpress-version/version-5-1-22/" rel="nofollow">WordPress.org Documentation</a>.</em></p>wordpress-packager[bot]tag:github.com,2008:Repository/160979913/5.0.252026-03-13T16:51:35ZVersion 5.0.25<p><em>Version notes available on <a href="https://wordpress.org/documentation/wordpress-version/version-5-0-25/" rel="nofollow">WordPress.org Documentation</a>.</em></p>wordpress-packager[bot]tag:github.com,2008:Repository/160979913/4.9.292026-03-13T16:51:35ZVersion 4.9.29<p><em>Version notes available on <a href="https://wordpress.org/documentation/wordpress-version/version-4-9-29/" rel="nofollow">WordPress.org Documentation</a>.</em></p>wordpress-packager[bot]tag:github.com,2008:Repository/160979913/4.8.282026-03-13T16:51:35ZVersion 4.8.28<p><em>Version notes available on <a href="https://wordpress.org/documentation/wordpress-version/version-4-8-28/" rel="nofollow">WordPress.org Documentation</a>.</em></p>wordpress-packager[bot]tag:github.com,2008:Repository/160979913/6.3.82026-03-12T05:12:16ZVersion 6.3.8<p><em>Sourced from <a href="https://wordpress.org/documentation/wordpress-version/version-6-3-8/" rel="nofollow">WordPress.org Documentation</a>.</em></p>
<h2>Summary</h2>
<h3 id="user-content-maintenance-updates">Security updates</h3>
<p>This release features several security fixes. Because this is a security release, <strong>it is recommended that you update your sites immediately.</strong></p>
<p>The security team would like to thank the following people for <a href="https://hackerone.com/wordpress?type=team" rel="nofollow">responsibly reporting vulnerabilities</a>, and allowing them to be fixed in this release:</p>
<ul>
<li>A Blind SSRF issue reported by <a href="https://hackerone.com/sibwtf" rel="nofollow">sibwtf</a>, and subsequently by several other researchers while the fix was being worked on</li>
<li>A PoP-chain weakness in the HTML API and Block Registry reported by <a href="https://github.com/hackerlo2003">Phat RiO</a></li>
<li>A regex DoS weakness in numeric character references reported by Dennis Snell of the WordPress Security Team</li>
<li>A stored XSS in nav menus reported by <a href="https://x.com/Savphill" rel="nofollow">Phill Savage</a></li>
<li>An AJAX <code>query-attachments</code> authorization bypass reported by <a href="https://www.vitalysim.com/" rel="nofollow">Vitaly Simonovich</a></li>
<li>A stored XSS via the <code>data-wp-bind</code> directive reported by <a href="https://profiles.wordpress.org/kaminuma/" rel="nofollow">kaminuma</a></li>
<li>An XSS that allows overridding client-side templates in the admin area reported by <a href="https://hackerone.com/amosec" rel="nofollow">Asaf Mozes</a></li>
<li>A PclZip path traversal issue reported independently by <a href="https://profiles.wordpress.org/francescocarlucci/" rel="nofollow">Francesco Carlucci</a> and <a href="https://profiles.wordpress.org/kaminuma/" rel="nofollow">kaminuma</a></li>
<li>An XXE in the external getID3 library reported by <a href="https://profiles.wordpress.org/regex33/" rel="nofollow">Youssef Achtatal</a></li>
</ul>
<p>The WordPress security team have worked with the maintainer of the external getID3 library, James Heinrich, to coordinate a fix to getID3. A new version of getID3 <a href="https://github.com/JamesHeinrich/getID3/releases">is available here</a>.<br>As a courtesy, these fixes are being backported, where necessary, to all branches eligible to receive security fixes (currently through 4.7). As a reminder, <strong>only the most recent version of WordPress is actively supported</strong>.</p>wordpress-packager[bot]tag:github.com,2008:Repository/160979913/6.2.92026-03-12T05:12:16ZVersion 6.2.9<p><em>Sourced from <a href="https://wordpress.org/documentation/wordpress-version/version-6-2-9/" rel="nofollow">WordPress.org Documentation</a>.</em></p>
<h2>Summary</h2>
<h3 id="user-content-maintenance-updates">Security updates</h3>
<p>This release features several security fixes. Because this is a security release, <strong>it is recommended that you update your sites immediately.</strong></p>
<p>The security team would like to thank the following people for <a href="https://hackerone.com/wordpress?type=team" rel="nofollow">responsibly reporting vulnerabilities</a>, and allowing them to be fixed in this release:</p>
<ul>
<li>A Blind SSRF issue reported by <a href="https://hackerone.com/sibwtf" rel="nofollow">sibwtf</a>, and subsequently by several other researchers while the fix was being worked on</li>
<li>A PoP-chain weakness in the HTML API and Block Registry reported by <a href="https://github.com/hackerlo2003">Phat RiO</a></li>
<li>A regex DoS weakness in numeric character references reported by Dennis Snell of the WordPress Security Team</li>
<li>A stored XSS in nav menus reported by <a href="https://x.com/Savphill" rel="nofollow">Phill Savage</a></li>
<li>An AJAX <code>query-attachments</code> authorization bypass reported by <a href="https://www.vitalysim.com/" rel="nofollow">Vitaly Simonovich</a></li>
<li>A stored XSS via the <code>data-wp-bind</code> directive reported by <a href="https://profiles.wordpress.org/kaminuma/" rel="nofollow">kaminuma</a></li>
<li>An XSS that allows overridding client-side templates in the admin area reported by <a href="https://hackerone.com/amosec" rel="nofollow">Asaf Mozes</a></li>
<li>A PclZip path traversal issue reported independently by <a href="https://profiles.wordpress.org/francescocarlucci/" rel="nofollow">Francesco Carlucci</a> and <a href="https://profiles.wordpress.org/kaminuma/" rel="nofollow">kaminuma</a></li>
<li>An XXE in the external getID3 library reported by <a href="https://profiles.wordpress.org/regex33/" rel="nofollow">Youssef Achtatal</a></li>
</ul>
<p>The WordPress security team have worked with the maintainer of the external getID3 library, James Heinrich, to coordinate a fix to getID3. A new version of getID3 <a href="https://github.com/JamesHeinrich/getID3/releases">is available here</a>.<br>As a courtesy, these fixes are being backported, where necessary, to all branches eligible to receive security fixes (currently through 4.7). As a reminder, <strong>only the most recent version of WordPress is actively supported</strong>.</p>wordpress-packager[bot]tag:github.com,2008:Repository/160979913/6.1.102026-03-12T05:12:16ZVersion 6.1.10<p><em>Sourced from <a href="https://wordpress.org/documentation/wordpress-version/version-6-1-10/" rel="nofollow">WordPress.org Documentation</a>.</em></p>
<h2>Summary</h2>
<h3 id="user-content-maintenance-updates">Security updates</h3>
<p>This release features several security fixes. Because this is a security release, <strong>it is recommended that you update your sites immediately.</strong></p>
<p>The security team would like to thank the following people for <a href="https://hackerone.com/wordpress?type=team" rel="nofollow">responsibly reporting vulnerabilities</a>, and allowing them to be fixed in this release:</p>
<ul>
<li>A Blind SSRF issue reported by <a href="https://hackerone.com/sibwtf" rel="nofollow">sibwtf</a>, and subsequently by several other researchers while the fix was being worked on</li>
<li>A PoP-chain weakness in the HTML API and Block Registry reported by <a href="https://github.com/hackerlo2003">Phat RiO</a></li>
<li>A stored XSS in nav menus reported by <a href="https://x.com/Savphill" rel="nofollow">Phill Savage</a></li>
<li>An AJAX <code>query-attachments</code> authorization bypass reported by <a href="https://www.vitalysim.com/" rel="nofollow">Vitaly Simonovich</a></li>
<li>A stored XSS via the <code>data-wp-bind</code> directive reported by <a href="https://profiles.wordpress.org/kaminuma/" rel="nofollow">kaminuma</a></li>
<li>An XSS that allows overridding client-side templates in the admin area reported by <a href="https://hackerone.com/amosec" rel="nofollow">Asaf Mozes</a></li>
<li>A PclZip path traversal issue reported independently by <a href="https://profiles.wordpress.org/francescocarlucci/" rel="nofollow">Francesco Carlucci</a> and <a href="https://profiles.wordpress.org/kaminuma/" rel="nofollow">kaminuma</a></li>
<li>An XXE in the external getID3 library reported by <a href="https://profiles.wordpress.org/regex33/" rel="nofollow">Youssef Achtatal</a></li>
</ul>
<p>The WordPress security team have worked with the maintainer of the external getID3 library, James Heinrich, to coordinate a fix to getID3. A new version of getID3 <a href="https://github.com/JamesHeinrich/getID3/releases">is available here</a>.<br>As a courtesy, these fixes are being backported, where necessary, to all branches eligible to receive security fixes (currently through 4.7). As a reminder, <strong>only the most recent version of WordPress is actively supported</strong>.</p>wordpress-packager[bot]tag:github.com,2008:Repository/160979913/5.9.132026-03-12T05:12:16ZVersion 5.9.13<p><em>Sourced from <a href="https://wordpress.org/documentation/wordpress-version/version-5-9-13/" rel="nofollow">WordPress.org Documentation</a>.</em></p>
<h2>Summary</h2>
<h3 id="user-content-maintenance-updates">Security updates</h3>
<p>This release features several security fixes. Because this is a security release, <strong>it is recommended that you update your sites immediately.</strong></p>
<p>The security team would like to thank the following people for <a href="https://hackerone.com/wordpress?type=team" rel="nofollow">responsibly reporting vulnerabilities</a>, and allowing them to be fixed in this release:</p>
<ul>
<li>A Blind SSRF issue reported by <a href="https://hackerone.com/sibwtf" rel="nofollow">sibwtf</a>, and subsequently by several other researchers while the fix was being worked on</li>
<li>A PoP-chain weakness in the HTML API and Block Registry reported by <a href="https://github.com/hackerlo2003">Phat RiO</a></li>
<li>A stored XSS in nav menus reported by <a href="https://x.com/Savphill" rel="nofollow">Phill Savage</a></li>
<li>An AJAX <code>query-attachments</code> authorization bypass reported by <a href="https://www.vitalysim.com/" rel="nofollow">Vitaly Simonovich</a></li>
<li>A stored XSS via the <code>data-wp-bind</code> directive reported by <a href="https://profiles.wordpress.org/kaminuma/" rel="nofollow">kaminuma</a></li>
<li>An XSS that allows overridding client-side templates in the admin area reported by <a href="https://hackerone.com/amosec" rel="nofollow">Asaf Mozes</a></li>
<li>A PclZip path traversal issue reported independently by <a href="https://profiles.wordpress.org/francescocarlucci/" rel="nofollow">Francesco Carlucci</a> and <a href="https://profiles.wordpress.org/kaminuma/" rel="nofollow">kaminuma</a></li>
</ul>
<p>The WordPress security team have worked with the maintainer of the external getID3 library, James Heinrich, to coordinate a fix to getID3. A new version of getID3 <a href="https://github.com/JamesHeinrich/getID3/releases">is available here</a>.<br>As a courtesy, these fixes are being backported, where necessary, to all branches eligible to receive security fixes (currently through 4.7). As a reminder, <strong>only the most recent version of WordPress is actively supported</strong>.</p>wordpress-packager[bot]tag:github.com,2008:Repository/160979913/5.7.152026-03-12T05:12:16ZVersion 5.7.15<p><em>Sourced from <a href="https://wordpress.org/documentation/wordpress-version/version-5-7-15/" rel="nofollow">WordPress.org Documentation</a>.</em></p>
<h2>Summary</h2>
<h3 id="user-content-maintenance-updates">Security updates</h3>
<p>This release features several security fixes. Because this is a security release, <strong>it is recommended that you update your sites immediately.</strong></p>
<p>The security team would like to thank the following people for <a href="https://hackerone.com/wordpress?type=team" rel="nofollow">responsibly reporting vulnerabilities</a>, and allowing them to be fixed in this release:</p>
<ul>
<li>A Blind SSRF issue reported by <a href="https://hackerone.com/sibwtf" rel="nofollow">sibwtf</a>, and subsequently by several other researchers while the fix was being worked on</li>
<li>A PoP-chain weakness in the HTML API and Block Registry reported by <a href="https://github.com/hackerlo2003">Phat RiO</a></li>
<li>A stored XSS in nav menus reported by <a href="https://x.com/Savphill" rel="nofollow">Phill Savage</a></li>
<li>An AJAX <code>query-attachments</code> authorization bypass reported by <a href="https://www.vitalysim.com/" rel="nofollow">Vitaly Simonovich</a></li>
<li>A stored XSS via the <code>data-wp-bind</code> directive reported by <a href="https://profiles.wordpress.org/kaminuma/" rel="nofollow">kaminuma</a></li>
<li>An XSS that allows overridding client-side templates in the admin area reported by <a href="https://hackerone.com/amosec" rel="nofollow">Asaf Mozes</a></li>
<li>A PclZip path traversal issue reported independently by <a href="https://profiles.wordpress.org/francescocarlucci/" rel="nofollow">Francesco Carlucci</a> and <a href="https://profiles.wordpress.org/kaminuma/" rel="nofollow">kaminuma</a></li>
</ul>
<p>The WordPress security team have worked with the maintainer of the external getID3 library, James Heinrich, to coordinate a fix to getID3. A new version of getID3 <a href="https://github.com/JamesHeinrich/getID3/releases">is available here</a>.<br>As a courtesy, these fixes are being backported, where necessary, to all branches eligible to receive security fixes (currently through 4.7). As a reminder, <strong>only the most recent version of WordPress is actively supported</strong>.</p>wordpress-packager[bot]