WordPress Core — Security Update!
WordPress 6.4.1 was released on December 6, 2023, as a short-cycle maintenance and security release with seven bug fixes and one security patch for a potential Remote Code Execution (RCE) vulnerability that is not directly exploitable in most situations. However, combined with certain plugins on a multisite network, this vulnerability could be exploited and pose a high-severity risk. The 6.4.1 update will prevent PHP object injections from being chained into a potential RCE, according to details published by Patchstack.
WordPress 6.4.1 was released on November 8, 2023, as a short-cycle maintenance release to address several bugs, including loss of backward compatibility with a dependency, cURL 7.29 or earlier. This broke the WordPress internal update facility on servers running very old, insecure cURL versions.
WordPress 6.4 was released on November 7, 2023, as the third major release of the year. Following a major release, you should not update live sites without taking backups and testing the update in a non-production environment first.