Changelog
wordpress (6.0.3+dfsg1-1) unstable; urgency=high
* New security release Closes: #1022575
- Stored XSS via wp-mail.php (post by email)
- Open redirect in `wp_nonce_ays`
- Sender’s email address is exposed in wp-mail.php
- Media Library – Reflected XSS via SQLi
- CSRF in wp-trackback.php
- Stored XSS via the Customizer
- Revert shared user instances introduced in 50790
- Stored XSS in WordPress Core via Comment Editing
- Data exposure via the REST Terms/Tags Endpoint
- Content from multipart emails leaked
- SQL Injection due to improper sanitization in `WP_Date_Query`
- RSS Widget: Stored XSS issue
- Stored XSS in the search block
- Feature Image Block: XSS issue
- RSS Block: Stored XSS issue
- Fix widget block XSS
-- Craig Small <email address hidden> Mon, 24 Oct 2022 21:10:11 +1100