12 October 2023
WordPress version 6.3.2 is now available (security release).
Upgrading to WordPress 6.3.2
WordPress 6.3.2 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply WordPress updates as new versions are released, or use Installatron's Clone feature to duplicate an existing WordPress install to test the 6.3.2 upgrade prior to applying it live. Get started managing your WordPress installations with Installatron
What's New in WordPress 6.3.2
This security and maintenance release features 19 bug fixes on Core, 22 bug fixes for the Block Editor, and 8 security fixes.
Core Bug Fixes
- #59489 — Themes: Fix core block style paths on Windows
- #59198 — Upgrade/Install: Check plugin compatibility during bulk upgrades
- #59293 — Editor: Update packages with bug fixes for 6.3.2
- #59086 — Twenty Twenty: Fix style issues within iframed editor
- #59196 — Build Tools: Avoid doing copy:dynamic when running grunt watch when using --dev option
- #59193 — REST API: Remove misleading comment in WP_REST_Blocks_Controller->get_item_schema
- #59108 — Editor: Preserve block style variations when securing theme
- #59041 — Post Types: allow trashing draft patterns
- #59018 — Editor: Fix loading of assets in blocks in child themes where the directory name starts with the parent theme’s directory name
- #59000 — Editor: Prevent possibility of a fatal error when previewing block themes
- #58754 — Editor: Don’t use fluid layout value in typography
- #58119 — HTML API: Remove all duplicate copies of an attribute when removing
- #59394 — Build/Test Tools: Add sys_get_temp_dir() to open_basedir tests
- #59320 — Upgrade/Install: Fix broken sprintf() call when deleting a backup
- #59292 — HTML API: Skip over contents of RAWTEXT elements such as STYLE
- #58779 — Build/Test Tools: Restore automatically retrying failed E2E tests once
- #59111 — Themes: Avoid stale caches for core block styles
- #59226 — Posts, Post Types: Reinstate missing sort_column options in get_pages()
- #59224 — Posts, Post Types: Avoid redundant SQL query in get_pages()
Block Editor Bug Fixes
- Global Styles: Fix push to global styles for 6.3.x
- Footnotes: enlarge rich text footnote target
- Fallback to default max viewport if layout wide size is fluid.
- Site editor: add missing i18n in HomeTemplateDetails
- RichText: Remove ‘Footnotes’ when interactive formatting is disabled
- Preserve block style variations when securing theme json
- Image: Clear aspect ratio when wide aligned
- Fix missing Replace button in content-locked Image blocks
- Remove “go to” for terms and posts
- Image block: Fix stretched images constrained by max-width
- Fix: Sync status overlaps for some languages in Patterns post type page
- Fix document title alignment in command palette button
- Update document title buttons radius
- Fix: Snack bar not fixed on certain pages in the Site Editor
- Image Block: Don’t render DimensionsTool if it is not resizable
- Site Editor: Fix document actions label helper method
- Add tests for fluid layout + typograph
- Fix support of sticky position in non-iframed post editor
- Link Control: persist advanced settings toggle state to preferences if available
- Fix: indicator style when block moving mode
- Fix post editor top toolbar with custom fields in Safari
- Set top toolbar size dynamically
The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release:
- Marc Montpas of Automattic for finding a potential disclosure of user email addresses.
- Marc Montpas of Automattic for finding an RCE POP Chains vulnerability.
- Rafie Muhammad and Edouard L of Patchstack along with a WordPress commissioned third-party audit for each independently identifying a XSS issue in the post link navigation block.
- Jb Audras of the WordPress Security Team and Rafie Muhammad of Patchstack for each independently discovering an issue where comments on private posts could be leaked to other users.
- John Blackbourn (WordPress Security Team), James Golovich, J.D Grimes, Numan Turle, WhiteCyberSec for each independently identifying a way for logged-in users to execute any shortcode.
- mascara7784 and a third-party security audit for identifying a XSS vulnerability in the application password screen.
- Jorge Costa of the WordPress Core Team for identifying XSS vulnerability in the footnotes block.
- s5s and raouf_maklouf for independently identifying a cache poisoning DoS vulnerability.