WordPress 4.6.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin; and a path traversal vulnerability in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.6.1 fixes 15 bugs from 4.6. For more information, see the release notes or consult the list of changes.

Download WordPress 4.6.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.6.1.

Thanks to everyone who contributed to 4.6.1:

Andrew OzzbongerBoone GorgesChaos EngineDaniel Kanchev, Dion Hulse, Drew Jaynes, Felix ArntzFredrik ForsmoGary PendergastgeminorumIan Dunn, Ionut Stanciu, Jeremy Felt, Joe McGillMarius L. J. (Clorith)Pascal BirchlerRobert D PayneSergey Biryukov, and Triet Minh.

continue reading.....