According to Roger Montti’s article on Search Engine Journal, “WordPress Security Release 6.9.4 Fixes Issues 6.9.2 Failed To Address,” WordPress issued multiple follow-up updates after an initial security patch failed to fully resolve key vulnerabilities.
A Series of Security Updates
Montti explains that WordPress released version 6.9.2 to address ten vulnerabilities, but this update caused site crashes and blank pages for some users. WordPress subsequently released version 6.9.3 to resolve compatibility issues, particularly those involving non-standard theme coding.
Because some vulnerabilities remained, WordPress released version 6.9.4 as an additional security update.
Why Sites Crashed
The disruption was caused by themes using unsupported methods to load template files. Although this was not a core WordPress issue, the update revealed these incompatibilities. WordPress promptly released version 6.9.3 to restore affected sites.
Vulnerability Details
Montti notes that security firm Wordfence disclosed four vulnerabilities, each with a medium severity rating (CVSS 4.3–6.5). These included cross-site scripting (XSS),
- Sensitive data exposure
- XML External Entity (XXE) injection via the getID3 library
In total, WordPress addressed 10 vulnerabilities, including SSRF, DoS, path traversal, and several XSS-related issues.
Most of these vulnerabilities require authentication, meaning attackers need some level of user access, from Subscriber to Administrator, to exploit them. Site owners should update to version 6.9.4 immediately, as it includes all fixes.
Montti’s report highlights that even routine security updates can introduce unexpected issues, emphasizing the need to stay current with follow-up releases to maintain site security and stability.