WordPress 6.9.2, which addressed 10 security vulnerabilities, also introduced a bug that caused the front-end of multiple websites to appear blank. The issue prompted a rapid follow-up hotfix, WordPress 6.9.3, which resolved the front-end bug while also including the same security fixes.
The Security Vulnerabilities Addressed
WordPress 6.9.2 addressed several vulnerabilities reported by security researchers, including a blind server-side request forgery (SSRF) issue, a PoP-chain weakness affecting the HTML API and Block Registry, and a regex-based denial-of-service (DoS) flaw. It also fixed multiple stored cross-site scripting (XSS) vulnerabilities, an AJAX authorization bypass, a PclZip path traversal issue, and an authorization bypass in the Notes feature.
The update also resolved a vulnerability in the external getID3 library, which was coordinated with its maintainer, James Heinrich.
Blank Front-End Issue Reported After Release
Roughly two hours after the release of WordPress 6.9.2, Jos Klever (owner of Jos Klever Web Supprot) reported in the #Core channel on Slack that the update was causing websites to show blank pages on the front end, “ After the WP 6.9.2 update I see multiple sites that stay totally blank at the frontend. The backend is still working. I’ve Isolated it to the theme (in my cases Virtue Premium), but I also see a support thread where other themes are mentioned.Did something change in loading themes with WP 6.9.2 that can have caused this? It’s definitely no caching issue and there’s nothing in the error logs or browser console.”
Jos Klever was later able to resolve the issue with a workaround where he replaced wp-includes/template-loader.php with the version of 6.9.1.
The Root Cause and Fix
The Core committers traced the root cause to the template_include filter, as highlighted by John Blackbourn, “ The issue is the Boldgrid_Framework_Wrapper class that gets passed to the template_include filter as an object and its __toString method normally kicks in later. 6.9.2 is not compatible with this approach.”
Following this,WordPress 6.9.3 was released to resolve the issue. The team clarified that the problem was linked to some themes using an unusual method to load template files as stated, “ The issue has been narrowed down to some themes using an unusual approach to loading template files via “stringable objects” instead of primitive strings for file paths.”
The team also highlighted that this approach is not officially supported by WordPress, “Although this is not an officially supported approach to loading template files in WordPress (the template_include filter only accepts a string), it nevertheless caused some sites to break.”
The Crio theme also pushed an update from their side that resolved the issue.
WordPress 7.0 Beta 4
Following the release of WordPress 6.9.3, WordPress 7.0 Beta 4 was also issued to include the same security fixes to ensure those testing the upcoming first major release of this year also remain protected from the vulnerabilities.
WordPress 7.0 is set to be released on April 9, 2026, live during WordCamp Asia 2026 Contributor Day.