WordPress 6.9.4 has been released after the WordPress Security Team discovered that not all security fixes were fully applied in WordPress 6.9.2 and the follow-up hotfix 6.9.3, which were issued on the same day. The new release now includes the missed security patches.
WordPress 6.9.2 and 6.9.3 Recap
WordPress 6.9.2 was released on March 10, 2026 to address 10 security vulnerabilities, but also introduced a bug that caused the front end of some websites to appear blank. The issue was later resolved with the release of WordPress 6.9.3, a follow-up hotfix that fixed the bug while also including the same security patches.
However, the WordPress Security Team later discovered that three of the intended security fixes were not fully applied in those releases. These included a PclZip path traversal vulnerability reported by Francesco Carlucci and kaminuma, an authorization bypass in the Notes feature reported by kaminuma, and an XML external entity (XXE) vulnerability in the external getID3 library reported by Youssef Achtatal. The WordPress Security Team also acknowledged Thomas Kräftner for responsibly reporting that some of the security fixes had not been fully applied.
The security fixes in WordPress 6.9.4 will be backported to all eligible WordPress branches, which currently go back to version 4.7.
The WordPress 7.0 Beta 5 is scheduled for March 12, 2026, with the final release planned for Contributor Day at WordCamp Asia 2026.