According to Roger Montti’s article on Search Engine Journal, “WordPress Security Release 6.9.4 Fixes Issues 6.9.2 Failed To Address,” WordPress has issued an additional security update after earlier patches failed to fully resolve multiple vulnerabilities.
Multiple Releases Following Security Issues
Montti explains that WordPress released version 6.9.2 to address ten security issues, but some users encountered blank pages. Version 6.9.3 was released to resolve compatibility issues with specific themes.
WordPress later determined that some vulnerabilities remained unpatched, prompting the release of version 6.9.4 to complete the fixes.
What Went Wrong
Site crashes were linked to non-standard coding in certain themes, particularly in template file loading. Although the issue stemmed from unsupported theme behavior, WordPress addressed it in version 6.9.3 to restore functionality.
Vulnerabilities and Risk Level
Montti highlights that Wordfence detailed four vulnerabilities, rated medium severity (CVSS 4.3–6.5) and requiring authentication to exploit. These included issues such as:
- Authorization bypass vulnerabilities
- Stored cross-site scripting (XSS)
- Sensitive information disclosure
- XML External Entity (XXE) injection via a bundled library
In total, WordPress addressed ten vulnerabilities, including SSRF, DoS, path traversal, and additional XSS-related flaws.
Recommended Action
WordPress advises site owners to update immediately to version 6.9.4, which includes all security fixes. Although many vulnerabilities require authentication, unpatched sites remain at risk of attack.
Montti’s report highlights the complexity of security patching in widely used platforms and reinforces the importance of applying updates promptly, even when multiple follow-up releases are necessary.