This security and maintenance release features 5 bug fixes on Core , 16 bug fixes for the Block Editor , and 2 security fixes.
Because this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress releases, 4.1 and later.
You can download WordPress 6.4.3 from WordPress.org , or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”. If you have sites that support automatic background updates, the update process will begin automatically.
WordPress 6.4.3 is a short-cycle release. The next major release will be version 6.5 planned for 26 March 2024. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement . For further information on this release, please visit the HelpHub site .
Security updates included in this release
The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release:
- m4tuto for finding a PHP File Upload bypass via Plugin Installer (requiring admin privileges).
- @_s_n_t of @pentestltd working with Trend Micro Zero Day Initiative for finding an RCE POP Chains vulnerability.
Thank you to these WordPress contributors
This release was led by Sarah Norris , Joe McGill , and Aaron Jorbin .
WordPress 6.4.3 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver maintenance and security fixes into a stable release is a testament to the power and capability of the WordPress community.
Aki Hamano , Alex Concha , Alex Lende , Alex Stine , Andrea Fercia , Andrei Draganescu , Andrew Ozz , Andrew Serong , Andy Fragen , Ari Stathopoulos , Artemio Morales , ben , bobbingwide , Carlos Bravo , Carolina Nymark , Česlav Przywara , Colin Stewart , Daniel Käfer , Daniel Richards , Dominik Schilling , Ella , Erik , George Mamadashvili , Greg Ziółkowski , Isabel Brison , Joen A. , John Blackbourn , Jonathan Desrosiers , joppuyo , Lax Mariappan , luisherranz , Markus , Michal Czaplinski , Mukesh Panchal , Nik Tsekouras , Niluthpal Purkayastha , Noah Allen , Pascal Birchler , Peter Wilson , ramonopoly , Riad Benguella , Sergey Biryukov , Stephen Bernhardt , Teddy Patriarca , Tonya Mork
How to contribute
To get involved in WordPress core development, head over to Trac, pick a ticket , and join the conversation in the #core and #6-5-release-leads channels . Need help? Check out the Core Contributor Handbook .
As a final reminder, The WordPress Security Team will never email you requesting that you install a plugin or theme on your site, and will never ask for an administrator username and password. Please stay vigilant against phishing attacks .
Thanks to Angela Jin , Ehtisham S. , Jb Audras, and Marius L. J. for proofreading.