WordPress 6.9.2 Release

WordPress 6.9.2 is now available!

This is a security release that features several fixes.

Because this is a security release, it is recommended that you update your sites immediately.

You can download WordPress 6.9.2 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”. If you have sites that support automatic background updates, the update process will begin automatically.

The next major release will be version 7.0, which is planned for April 9th, 2026.

For more information on WordPress 6.9.2, please visit the version page on the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release:

• A Blind SSRF issue reported by sibwtf, and subsequently by several other researchers while the fix was being worked on
• A PoP-chain weakness in the HTML API and Block Registry reported by Phat RiO
• A regex DoS weakness in numeric character references reported by Dennis Snell of the WordPress Security Team
• A stored XSS in nav menus reported by Phill Savage
• An AJAX query-attachments authorization bypass reported by Vitaly Simonovich
• A stored XSS via the data-wp-bind directive reported by kaminuma
• An XSS that allows overridding client-side templates in the admin area reported by Asaf Mozes
• A PclZip path traversal issue reported independently by Francesco Carlucci and kaminuma
• An authorization bypass on the Notes feature reported by kaminuma
• An XXE in the external getID3 library reported by Youssef Achtatal

The WordPress security team have worked with the maintainer of the external getID3 library, James Heinrich, to coordinate a fix to getID3. A new version of getID3 is available here.

As a courtesy, these fixes are being backported, where necessary, to all branches eligible to receive security fixes (currently through 4.7). As a reminder, only the most recent version of WordPress is actively supported. The backports are in progress and will ship as they become ready.

Thank you to these WordPress contributors

This release was led by John Blackbourn. In addition to the security researchers mentioned above, WordPress 6.9.2 would not have been possible without the contributions of the following people: Dennis Snell, Alex Concha, Jon Surrell, Isabel Brison, Peter Wilson, Jonathan Desrosiers, Jb Audras, Luis Herranz, Aaron Jorbin, Weston Ruter, and Dominik Schilling.