Sourced from WordPress.org Documentation.
Summary
Security updates
This release features several security fixes that were not fully applied to the 6.9.2 release. Because this is a security release, it is recommended that you update your sites immediately.
The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release:
- A PclZip path traversal issue reported independently by Francesco Carlucci and kaminuma
- An authorization bypass on the Notes feature reported by kaminuma
- An XXE in the external getID3 library reported by Youssef Achtatal
- Thomas Kräftner for his responsible disclosure
The WordPress security team have worked with the maintainer of the external getID3 library, James Heinrich, to coordinate a fix to getID3. A new version of getID3 is available here.