WordPress 4.6.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin ; and a path traversal vulnerability in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team.
Thank you to the reporters for practicing responsible disclosure .
Download WordPress 4.6.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.6.1.
Thanks to everyone who contributed to 4.6.1:
Andrew Ozz , bonger , Boone Gorges , Chaos Engine , Daniel Kanchev , Dion Hulse , Drew Jaynes , Felix Arntz , Fredrik Forsmo , Gary Pendergast , geminorum , Ian Dunn , Ionut Stanciu , Jeremy Felt , Joe McGill , Marius L. J. (Clorith) , Pascal Birchler , Robert D Payne , Sergey Biryukov , and Triet Minh .