As the release from WordPress yesterday says:
“WordPress 4.6.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
“WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin; and a path traversal vulnerability in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team.
“In addition to the security issues above, WordPress 4.6.1 fixes 15 bugs from 4.6. For more information, see the release notes or consult the list of changes.”
This morning we have applied this update to all of the WordPress sites we host or support – as we do for all security releases. If we do not host or support your site, make sure it is up to date (or get in touch with us about hosting and supporting your WordPress site in future).