WordPress 4.6.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin; and a path traversal vulnerability in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team.
In short, don't dilly-dally.
With the huge number of sites running WordPress, and the frequency with which attackers exploit vulnerabilities on the platform to launch malicious attacks, it makes sense for self-hosting bloggers to update their systems as soon as possible.
Security vulnerabilities are frequently uncovered in third-party WordPress plugins, but the above fix addresses bugs in the main WordPress content management system itself. Meaning that just about any site running WordPress could be at risk.
Fortunately, updating is pretty easy. Go to your WordPress admin panel and chooseDashboard > Updates.
Friday, September 9, 2016