WordPress has released WordPress 6.9.4, an additional security update that follows two earlier releases, versions 6.9.2 and 6.9.3. The new update was published after the WordPress security team discovered that not all vulnerabilities were properly addressed in the earlier patch.
Because this update resolves security issues in WordPress core, the project is recommending that site owners update their websites immediately.
Why WordPress Released Version 6.9.4
The sequence of updates began with WordPress 6.9.2, which was originally released to fix ten security vulnerabilities affecting WordPress core.
Shortly after the release, some website owners began reporting that their sites were displaying blank pages, often referred to as the WordPress white screen of death.
To address the issue, the WordPress team quickly released version 6.9.3, a bugfix update designed to restore functionality for affected sites.
However, further review by the security team revealed that some of the vulnerabilities were not fully patched in the earlier update, leading to the release of WordPress 6.9.4.
In its official advisory, WordPress explained:
“WordPress 6.9.2 and WordPress 6.9.3 were released yesterday, addressing 10 security issues and a bug that affected template file loading on a limited number of sites.
The WordPress Security Team has discovered that not all of the security fixes were fully applied, therefore 6.9.4 has been released containing the necessary additional fixes.
Because this is a security release, it is recommended that you update your sites immediately.”
Reports of Websites Breaking After the 6.9.2 Update
Soon after WordPress 6.9.2 was released, several users reported problems with their sites.
Some websites began displaying blank pages while the WordPress admin area remained accessible. Discussions quickly appeared in community forums and on Reddit, with users describing similar issues.
One user in the WordPress support forums wrote:
“A few minutes ago I got an update from Dreamhost that my website had automatically updated to WP 6.9.2. Now any page I try to load is coming up blank. I can still log into the back end and edit pages, but when I visit the home page or any other page nothing displays.”
Other users reported similar behavior shortly afterward.
A WordPress core developer responded to the discussion and explained that the issue appeared to be related to how certain themes were loading template files.
What Caused the WordPress White Screen Issue
According to the WordPress development team, the issue was linked to themes using a non standard method for loading template files.
Some themes passed a “stringable object” when loading template paths. WordPress does not officially support this approach because the template_include filter expects a string value.
When the security changes introduced in version 6.9.2 interacted with this unsupported behavior, it caused conflicts that prevented some sites from rendering pages.
Although the issue was technically caused by theme code rather than WordPress itself, the development team released version 6.9.3 to restore compatibility and resolve the issue quickly.
Vulnerabilities Addressed in the WordPress Security Update
The security release addresses ten vulnerabilities in WordPress core.
Security researchers at Wordfence published details for four of these vulnerabilities. Their severity ratings ranged between 4.3 and 6.5 on the CVSS scale, which places them in the medium severity category.
Importantly, the vulnerabilities require authentication. This means attackers would first need to gain access to a valid WordPress account before attempting exploitation.
The issues disclosed by Wordfence include:
- Missing authorization allowing authenticated users to create arbitrary notes through the REST API
- Sensitive information disclosure via the
query-attachmentsAJAX endpoint - Stored cross site scripting in navigation menu items
- XML External Entity injection through the bundled getID3 media library
Most Serious Vulnerability Involves the getID3 Library
The vulnerability with the highest severity rating involves the getID3 library, an external component used by WordPress to analyze media file metadata.
The issue could allow attackers to exploit XML entity substitution during parsing. If exploited successfully, the vulnerability could potentially allow attackers to read files stored on the server.
However, the attack requires Author level access or higher, meaning the attacker would already need the ability to upload media files to the website.
Full List of Vulnerabilities Fixed in WordPress 6.9.4
The WordPress security release addressed ten vulnerabilities:
- Blind server side request forgery (SSRF)
- PHP object injection chain in the HTML API and block registry
- Regular expression denial of service issue
- Stored cross site scripting in navigation menus
- Authorization bypass in the query attachments AJAX endpoint
- Stored XSS via the
data-wp-binddirective - Cross site scripting allowing template overrides in the admin area
- Path traversal vulnerability in PclZip
- Authorization bypass in the Notes feature
- XML External Entity injection in the getID3 library
WordPress Recommends Updating Immediately
Although several of the vulnerabilities are rated as medium severity, security updates should always be installed as soon as possible.
Once vulnerabilities become publicly known, attackers often begin scanning for websites that have not yet installed the patch.
Website owners running WordPress should update their sites to WordPress 6.9.4 immediately to ensure all security fixes have been properly applied.
Keeping WordPress updated is one of the most important steps in maintaining a secure website. Regular maintenance, security monitoring, and plugin updates help reduce the risk of vulnerabilities being exploited. If you manage multiple WordPress sites, implementing a proper maintenance routine can significantly improve both security and reliability.