WordPress 4.6.1 is now available. This is a security release for all previous versions and all users are strongly encouraged to update their sites immediately.
The two security issues affecting WordPress 4.6 and earlier include:
- A cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin.
- A path traversal vulnerability in the upgrade package uploader, reported by Dominik Schilling.