WordPress 4.6.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.6 and earlier are affected by two security issues:
- a cross-site scripting vulnerability via image filename.
- a path traversal vulnerability in the upgrade package upload.
In addition to the security issues above, WordPress 4.6.1 fixes 15 bugs from 4.6.
Download WordPress 4.6.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.6.1.