A new version of WordPress is out, addressing six issues, including XSS vulnerabilities and a potential SQL injection which could be used in hacking a site. You can read more about the specific vulnerabilities patched here.
All WordPress versions are affected and we advise you update all of your sites as soon as possible.
There are also 4 bug fixes included in the patch:
- FIX – WPDB: When checking the encoding of strings against the database, make sure we’re only relying on the return value of strings that were sent to the database.
- FIX – Don’t blindly trust the output of glob() to be an array.
- FIX – Shortcodes: Handle do_shortcode('<[shortcode]') edge cases.
- FIX – Shortcodes: Protect newlines inside of CDATA.