Today a customer did the right thing and forwarded a strange email to us to check whether it was genuine. It was not, and thanks to their they avoided an attempted phishing attack.
The email was made to look as if it was sent by WordPress, saying that a security risk (an so-called "Remote Code Execution (RCE) high-risk vulnerability") required a new patch, CVE-2024-41688. The "Download" link leads to a fake website which harvests user information.
If you have received an email with these details, ignore it and block the sender:
Subject: CRITICAL: Your website <example.com> is at risk!
Recommended WordPress patch: CVE-2024-46188 (which is a fake code - this patch does not exist)
More about WordPress impersonation scams
There have been a number of similar spam emails sent to WordPress users. WordPress's own security team has published an article about them. For more information and advice, see Alert: WordPress Security Team Impersonation Scams.