WordPress 6.3.2

12 October 2023

WordPress version 6.3.2 is now available (security release).

Upgrading to WordPress 6.3.2

What's New in WordPress 6.3.2

• #59489 — Themes: Fix core block style paths on Windows
  
• #59198 — Upgrade/Install: Check plugin compatibility during bulk upgrades
  
• #59293 — Editor: Update packages with bug fixes for 6.3.2
  
• #59086 — Twenty Twenty: Fix style issues within iframed editor
  
• #59196 — Build Tools: Avoid doing copy:dynamic when running grunt watch when using --dev option
  
• #59193 — REST API: Remove misleading comment in WP_REST_Blocks_Controller->get_item_schema
  
• #59108 — Editor: Preserve block style variations when securing theme
  
• #59041 — Post Types: allow trashing draft patterns
  
• #59018 — Editor: Fix loading of assets in blocks in child themes where the directory name starts with the parent theme’s directory name
  
• #59000 — Editor: Prevent possibility of a fatal error when previewing block themes
  
• #58754 — Editor: Don’t use fluid layout value in typography
  
• #58119 — HTML API: Remove all duplicate copies of an attribute when removing
  
• #59394 — Build/Test Tools: Add sys_get_temp_dir() to open_basedir tests
  
• #59320 — Upgrade/Install: Fix broken sprintf() call when deleting a backup
  
• #59292 — HTML API: Skip over contents of RAWTEXT elements such as STYLE
  
• #58779 — Build/Test Tools: Restore automatically retrying failed E2E tests once
  
• #59111 — Themes: Avoid stale caches for core block styles
  
• #59226 — Posts, Post Types: Reinstate missing sort_column options in get_pages()
  
• #59224 — Posts, Post Types: Avoid redundant SQL query in get_pages()
  

• Global Styles: Fix push to global styles for 6.3.x
  
• Footnotes: enlarge rich text footnote target
  
• Fallback to default max viewport if layout wide size is fluid.
  
• Site editor: add missing i18n in HomeTemplateDetails
  
• RichText: Remove ‘Footnotes’ when interactive formatting is disabled
  
• Preserve block style variations when securing theme json
  
• Image: Clear aspect ratio when wide aligned
  
• Fix missing Replace button in content-locked Image blocks
  
• Remove “go to” for terms and posts
  
• Image block: Fix stretched images constrained by max-width
  
• Fix: Sync status overlaps for some languages in Patterns post type page
  
• Fix document title alignment in command palette button
  
• Update document title buttons radius
  
• Fix: Snack bar not fixed on certain pages in the Site Editor
  
• Image Block: Don’t render DimensionsTool if it is not resizable
  
• Site Editor: Fix document actions label helper method
  
• Add tests for fluid layout + typograph
  
• Fix support of sticky position in non-iframed post editor
  
• Link Control: persist advanced settings toggle state to preferences if available
  
• Fix: indicator style when block moving mode
  
• Fix post editor top toolbar with custom fields in Safari
  
• Set top toolbar size dynamically
  

• Marc Montpas of Automattic for finding a potential disclosure of user email addresses.
  
• Marc Montpas of Automattic for finding an RCE POP Chains vulnerability.
  
• Rafie Muhammad and Edouard L of Patchstack along with a WordPress commissioned third-party audit for each independently identifying a XSS issue in the post link navigation block.
  
• Jb Audras of the WordPress Security Team and Rafie Muhammad of Patchstack for each independently discovering an issue where comments on private posts could be leaked to other users.
  
• John Blackbourn (WordPress Security Team), James Golovich, J.D Grimes, Numan Turle, WhiteCyberSec for each independently identifying a way for logged-in users to execute any shortcode.
  
• mascara7784 and a third-party security audit for identifying a XSS vulnerability in the application password screen.
  
• Jorge Costa of the WordPress Core Team for identifying XSS vulnerability in the footnotes block.
  
• s5s and raouf_maklouf for independently identifying a cache poisoning DoS vulnerability.