It's not uncommon for WordPress or any software for that matter to publish bug fix update following version update order to fix unforeseen issues and introduce improvements that did not make it time for the major release.. This update also includes security update, which is somewhat uncommon for WordPress core. Cross-Site Scripting in Gutenberg block editor. WordPress REST API is interface that allows plugins and themes to interact with WordPress core.. REST API has been source of security vulnerabilities, including most recently with Gutenberg Template Library & Redux Framework vulnerability that affected over million websites... They can happen any kind of input that is not sanitized to prevent the upload of scripts that can trigger unwanted in WordPress installation.. The Open Web Application Security Project describes the potential harm of XSS vulnerabilities.. The browser has no way to know that the script should not be trusted, and will execute the script.. Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function... There appear to be many other vulnerabilities affecting Lodash in the branch as well..
Read more