WordPress 6.8.2 security release patches critical XSS vulnerability
WordPress has released version 6.8.2, an emergency security update that patches a critical stored cross-site scripting (XSS) vulnerability in the block editor. The vulnerability affects all WordPress installations running version 6.5 or later.
The flaw could allow authenticated users with contributor-level access or above to inject malicious JavaScript into posts, which would then execute when viewed by administrators or other users. This type of vulnerability is particularly dangerous in multi-author blogs and enterprise WordPress installations.
Site administrators are strongly recommended to update immediately. The update also includes several other security hardening improvements and bug fixes. Automatic updates should handle this for most installations, but manual verification is recommended for mission-critical sites.
Stored XSS in the block editor is a serious threat — it lets low-privilege users inject persistent malicious code that executes for admins. Any WordPress site on 6.5+ running multi-author workflows should treat this as a zero-day and update immediately.
How do I check if my WordPress site is affected?
Go to your WordPress admin dashboard → Updates. If you see WordPress 6.8.2 available, your site needs updating. If it says you're running the latest version, you're already patched.