via wordfence.com => original post link
WordPress 6.5.2 was released yesterday, on April 9, 2024. It included a single security patch, along with a handful of bug fixes. The security patch was for a Stored Cross-Site Scripting vulnerability that could be exploited by both unauthenticated users, when a comment block is present on a page, and by authenticated users who have access to the block editor such as contributors.
All Wordfence users are protected against exploits targeting this vulnerability through unauthenticated methods. Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability through authenticated methods on April 10, 2024. Sites using the free version of Wordfence will receive the same protection 30 days later on May 10, 2024.
The patch has been backported to version 6.1 and later of WordPress. We urge all WordPress users to verify that their sites are updated to 6.5.2, or another backported security release, immediately as this issue could allow full site takeover when the right conditions are met. Most sites should have auto-updated, however, it’s a good idea to verify the auto-update was successful.