On March 11, 2026, WordPress 6.9.4 was released to the public. This is a security release that includes additional fixes that were not fully applied to the earlier 6.9.2 security release and 6.9.3 bug fix release.
Because this is a security release, it is recommended that you update your sites immediately.
Installation/Update Information
To get this version, update automatically from the Dashboard > Updates menu in your site’s admin area or visit https://wordpress.org/download/release-archive/.
For step-by-step instructions on installing and updating WordPress:
If you are new to WordPress, we recommend that you begin with the following:
- New To WordPress – Where to Start
- First Steps With WordPress or Upgrading WordPress Extended
- WordPress Lessons
Summary
Security updates
This release features several security fixes that were not fully applied to the 6.9.2 release. Because this is a security release, it is recommended that you update your sites immediately.
The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release:
- A PclZip path traversal issue reported independently by Francesco Carlucci and kaminuma
- An authorization bypass on the Notes feature reported by kaminuma
- An XXE in the external getID3 library reported by Youssef Achtatal
- Thomas Kräftner for his responsible disclosure
The WordPress security team have worked with the maintainer of the external getID3 library, James Heinrich, to coordinate a fix to getID3. A new version of getID3 is available here.
Change log
List of files revised
/wp-admin/includes/file.php
/wp-includes/ID3/getid3.lib.php
/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
List of packages revised
No package was revised.