WordPress has issued a new security release, version 6.8.3, which went live on September 30, 2025. In his announcement on the WordPress.org News blog, core developer John Blackbourn stressed that site owners should update immediately due to the nature of the fixes.
The patch addresses two security issues: a data exposure bug that allowed authenticated users to access restricted content and a cross-site scripting (XSS) vulnerability in navigation menus that also required an authenticated role. Multiple researchers, including Mike Nelson, Abu Hurayra, Timothy Jacobs, Peter Wilson, and Phill Savage, responsibly disclosed both.
Blackbourn noted that, as a courtesy, these fixes are also backported to all versions of WordPress that are still receiving security support (currently back to 4.7). However, he reminded users that only the most recent release is actively supported.
The next major update, WordPress 6.9, is scheduled for December 2, 2025.
This release highlights the ongoing collaboration between the WordPress security team, independent researchers, and contributors. Blackbourn credited dozens of contributors who helped make the release possible and encouraged developers to get involved via Trac or the #core Slack channel.