According to Roger Montti’s article on Search Engine Journal, “WordPress Security Release 6.9.4 Fixes Issues 6.9.2 Failed To Address,” WordPress issued multiple follow-up updates after an initial security patch failed to fully resolve key vulnerabilities.
A Series of Security Updates
Montti explains that WordPress released version 6.9.2 to address ten vulnerabilities, but the update led to site crashes and blank pages for some users. WordPress then issued version 6.9.3 to resolve compatibility issues, especially those related to non-standard theme coding.
When some vulnerabilities remained unresolved, WordPress released version 6.9.4 as an additional security update.
Why Sites Crashed
The disruption resulted from themes using unsupported methods to load template files. While not a core WordPress issue, the update exposed these incompatibilities. WordPress promptly released version 6.9.3 to restore affected sites.
Vulnerability Details
Montti notes that security firm Wordfence disclosed four vulnerabilities, each with a medium severity rating (CVSS 4.3–6.5). These included:e scripting (XSS)
- Sensitive data exposure
- XML External Entity (XXE) injection via the getID3 library
In total, WordPress addressed ten vulnerabilities, such as SSRF, DoS, path traversal, and several XSS-related issues.
Importantly, most of these vulnerabilities require authentication, so attackers need some level of user access, from Subscriber to Administrator, to exploit them. Site owners should update to version 6.9.4 immediately, as it includes all fixes.
Montti’s report highlights that even routine security updates can introduce unexpected complications, underscoring the importance of staying current with follow-up releases to maintain site security and stability.