Title: Version 6.9.4
Author: John Blackbourn
Published: March 11, 2026

---

# Version 6.9.4

## In this article

 * [Installation/Update Information](https://wordpress.org/documentation/wordpress-version/version-6-9-4/?output_format=md#installation-update-information)
 * [Summary](https://wordpress.org/documentation/wordpress-version/version-6-9-4/?output_format=md#summary)
    - [Security updates](https://wordpress.org/documentation/wordpress-version/version-6-9-4/?output_format=md#maintenance-updates)
 * [Change log](https://wordpress.org/documentation/wordpress-version/version-6-9-4/?output_format=md#changelog)
    - [List of files revised](https://wordpress.org/documentation/wordpress-version/version-6-9-4/?output_format=md#list-of-files-revised)
    - [List of packages revised](https://wordpress.org/documentation/wordpress-version/version-6-9-4/?output_format=md#list-of-packages-revised)

[ Back to top](https://wordpress.org/documentation/wordpress-version/version-6-9-4/?output_format=md#wp--skip-link--target)

On March 11, 2026, WordPress 6.9.4 was released to the public. This is a security
release that includes additional fixes that were not fully applied to the earlier
[6.9.2 security release](https://wordpress.org/documentation/wordpress-version/version-6-9-2/)
and [6.9.3 bug fix release](https://wordpress.org/documentation/wordpress-version/version-6-9-3/).

Because this is a security release,** it is recommended that you update your sites
immediately**.

## 󠀁[Installation/Update Information](https://wordpress.org/documentation/wordpress-version/version-6-9-4/?output_format=md#installation-update-information)󠁿

To get this version, update automatically from the Dashboard > Updates menu in your
site’s admin area or visit [https://wordpress.org/download/release-archive/](https://wordpress.org/download/release-archive/).

For step-by-step instructions on installing and updating WordPress:

 * [Updating WordPress](https://wordpress.org/documentation/article/updating-wordpress/)

If you are new to WordPress, we recommend that you begin with the following:

 * [New To WordPress – Where to Start](https://wordpress.org/support/article/new_to_wordpress_-_where_to_start/)
 * [First Steps With WordPress](https://wordpress.org/support/article/first-steps-with-wordpress/)
   or [Upgrading WordPress Extended](https://wordpress.org/documentation/article/upgrading-wordpress-extended-instructions/)
 * [WordPress Lessons](https://wordpress.org/support/article/wordpress-lessons/)

## 󠀁[Summary](https://wordpress.org/documentation/wordpress-version/version-6-9-4/?output_format=md#summary)󠁿

### 󠀁[Security updates](https://wordpress.org/documentation/wordpress-version/version-6-9-4/?output_format=md#maintenance-updates)󠁿

This release features several security fixes that were not fully applied to the 
6.9.2 release. Because this is a security release, **it is recommended that you 
update your sites immediately.**

The security team would like to thank the following people for [responsibly reporting vulnerabilities](https://hackerone.com/wordpress?type=team),
and allowing them to be fixed in this release:

 * A PclZip path traversal issue reported independently by [Francesco Carlucci](https://profiles.wordpress.org/francescocarlucci/)
   and [kaminuma](https://profiles.wordpress.org/kaminuma/)
 * An authorization bypass on the Notes feature reported by [kaminuma](https://profiles.wordpress.org/kaminuma/)
 * An XXE in the external getID3 library reported by [Youssef Achtatal](https://profiles.wordpress.org/regex33/)
 * [Thomas Kräftner](https://profiles.wordpress.org/kraftner) for his responsible
   disclosure

The WordPress security team have worked with the maintainer of the external getID3
library, James Heinrich, to coordinate a fix to getID3. A new version of getID3 
[is available here](https://github.com/JamesHeinrich/getID3/releases).

## 󠀁[Change log](https://wordpress.org/documentation/wordpress-version/version-6-9-4/?output_format=md#changelog)󠁿

### 󠀁[List of files revised](https://wordpress.org/documentation/wordpress-version/version-6-9-4/?output_format=md#list-of-files-revised)󠁿

    ```wp-block-preformatted
    /wp-admin/includes/file.php/wp-includes/ID3/getid3.lib.php/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
    ```

### 󠀁[List of packages revised](https://wordpress.org/documentation/wordpress-version/version-6-9-4/?output_format=md#list-of-packages-revised)󠁿

No package was revised.

First published

March 11, 2026

Last updated

March 11, 2026