WordPress 6.9.4 is now available!
WordPress 6.9.2 and WordPress 6.9.3 were released yesterday, addressing 10 security issues and a bug that affected template file loading on a limited number of sites.
The WordPress Security Team has discovered that not all of the security fixes were fully applied, therefore 6.9.4 has been released containing the necessary additional fixes.
Because this is a security release, it is recommended that you update your sites immediately.
You can download WordPress 6.9.4 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”. If you have sites that support automatic background updates, the update process will begin automatically.
For more information on WordPress 6.9.4, please visit the version page on the HelpHub site.
Security updates included in this release
The security team would like to thank the contributors who reported and investigated this issue, in particular Thomas Kräftner for his responsible disclosure. The security issues that are resolved in 6.9.4 are:
- A PclZip path traversal issue reported independently by Francesco Carlucci and kaminuma
- An authorization bypass on the Notes feature reported by kaminuma
- An XXE in the external getID3 library reported by Youssef Achtatal