WordPress Releases 6.9.4 After Incomplete Security Fixes in Versions 6.9.2 and 6.9.3

WordPress has released version 6.9.4 to address security fixes that were not fully applied in earlier updates, following a rapid sequence of patches that began with the security release of version 6.9.2. The update comes after reports that the previous releases both introduced technical issues and failed to fully resolve several vulnerabilities.

According to the WordPress Security Team, versions 6.9.2 and 6.9.3 were intended to address ten security issues affecting earlier versions of the platform. However, engineers later determined that not all of the intended fixes were properly applied, prompting the additional 6.9.4 release.

Because the update addresses security issues, WordPress recommends that site administrators update their installations immediately.

Security Update Followed by Rapid Patch Cycle

WordPress initially released version 6.9.2 as a security update intended to resolve ten vulnerabilities affecting versions up to 6.9.1. Shortly after deployment, some site operators reported that the update caused websites to display blank pages, a failure commonly referred to as the “white screen of death.”

Reports appeared in community forums and hosting provider notifications indicating that sites had automatically updated to the new version and immediately lost front-end functionality. In several cases, site administrators reported that they could still access the WordPress dashboard and edit content, but the public-facing pages returned empty output.

Within hours of the first reports, WordPress developers identified a compatibility issue related to how certain themes load template files.

The issue affected themes that used a non-standard approach to passing template file paths. These themes relied on a “stringable object” mechanism rather than returning a string value through the template_include filter, which is the officially supported method documented by WordPress.

According to WordPress developer documentation, the security changes in version 6.9.2 conflicted with this unsupported behavior. As a result, sites running affected themes failed to render page templates correctly.

WordPress released version 6.9.3 shortly afterward to restore compatibility and prevent affected sites from displaying blank pages. The update adjusted the behavior introduced in the previous release so that sites using these non-standard theme implementations could continue functioning.

Although WordPress noted that the underlying issue originated in theme code rather than the core platform, the development team issued the patch to reduce disruption for site operators.

Additional Security Fixes Required

Following the deployment of versions 6.9.2 and 6.9.3, the WordPress Security Team conducted a further review of the security patches included in the original release.

According to the project’s advisory, the team determined that some of the intended fixes had not been fully applied. WordPress therefore released version 6.9.4 with the remaining corrections.

The release addresses the same set of vulnerabilities originally targeted in the earlier update cycle.

Medium-Severity Vulnerabilities Identified

Security company Wordfence published technical details for four of the vulnerabilities addressed in the update. These issues received Common Vulnerability Scoring System (CVSS) ratings between 4.3 and 6.5, placing them in the medium severity range.

All four vulnerabilities require authentication before they can be exploited, meaning an attacker must first obtain a user account with specific privileges.

The vulnerabilities described by Wordfence include:

1. An authorization issue that allowed authenticated users with subscriber-level access to create arbitrary notes through the WordPress REST API.
2. An authorization bypass affecting the query-attachments AJAX endpoint that could allow authenticated users with author-level access to access sensitive information.
3. A stored cross-site scripting (XSS) vulnerability affecting navigation menu items that could be triggered by administrators.
4. An XML External Entity (XXE) vulnerability in the bundled getID3 media analysis library.

The most serious of these issues involves XML parsing behavior within the getID3 library used to process media metadata. According to Wordfence documentation, the library’s configuration allowed entity substitution during XML parsing.

When WordPress processed media files containing XML metadata, such as iXML data embedded in WAV or AVI files, the parser could potentially resolve external entities using the file:// protocol. Under certain conditions, this behavior could allow authenticated attackers with author-level privileges to read arbitrary files on the server.

Full List of Patched Issues

WordPress has also published the complete list of ten vulnerabilities addressed in the security updates.

These include:

• A blind server-side request forgery (SSRF) issue.
• A property-oriented programming chain weakness in the HTML API and Block Registry.
• A regular expression denial-of-service issue involving numeric character references.
• A stored cross-site scripting vulnerability in navigation menus.
• An authorization bypass affecting the query-attachments AJAX endpoint.
• A stored cross-site scripting issue via the data-wp-bind directive.
• An XSS vulnerability affecting client-side templates in the admin interface.
• A path traversal vulnerability in the PclZip library.
• An authorization bypass affecting the Notes feature.
• An XML external entity vulnerability in the getID3 media library.

WordPress has not publicly assigned severity ratings to all ten issues, though several involve cross-site scripting and authorization checks that could enable misuse by authenticated users.

Recommended Action for Site Administrators

Although the vulnerabilities disclosed so far require authenticated access, the WordPress Security Team advises site administrators to update to version 6.9.4 as soon as possible.

Automatic updates are enabled for many installations, but administrators running managed hosting environments or manual update configurations may need to apply the update themselves.

The update concludes a rapid sequence of releases addressing both the original vulnerabilities and the compatibility issues introduced during the initial patch.

WordPress remains the most widely used content management system on the web, powering a significant portion of public websites. As a result, even moderate-severity vulnerabilities can have broad impact when left unpatched.