Ram Dall over at Wordfence has a good breakdown of three vulnerabilities patched in the WordPress 6.0.2 Security and Maintenance Release. One is a high severity SQLi vulnerability in the links functionality, and the other two are medium severity Cross-Site Scripting vulnerabilities.
Most actively used WordPress sites should be patched via automatic updates within the next 24 hours, and any sites that remain vulnerable would only be exploitable under very specific circumstances.
Robert Rowley dug deeper for Patchstack:
There are also no proof of concepts (or exploitation steps) nor any reports of these bugs actively targeted in the wild. This is because the security bugs were reported and handled through WordPress.org’s official Bug Bounty program … as well as one WordPress security team member, John Blackbourn who at this time is sponsored by Human Made.