On March 10, 2026, WordPress 6.9.2 was released to the public.
Installation/Update Information
To get this version, update automatically from the Dashboard > Updates menu in your site’s admin area or visit https://wordpress.org/download/release-archive/.
For step-by-step instructions on installing and updating WordPress:
If you are new to WordPress, we recommend that you begin with the following:
- New To WordPress – Where to Start
- First Steps With WordPress or Upgrading WordPress Extended
- WordPress Lessons
Summary
Security updates
This release features several security fixes. Because this is a security release, it is recommended that you update your sites immediately.
The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release:
- A Blind SSRF issue reported by sibwtf, and subsequently by several other researchers while the fix was being worked on
- A PoP-chain weakness in the HTML API and Block Registry reported by Phat RiO
- A regex DoS weakness in numeric character references reported by Dennis Snell of the WordPress Security Team
- A stored XSS in nav menus reported by Phill Savage
- An AJAX
query-attachmentsauthorization bypass reported by Vitaly Simonovich - A stored XSS via the
data-wp-binddirective reported by kaminuma - An XSS that allows overridding client-side templates in the admin area reported by Asaf Mozes
- A PclZip path traversal issue reported independently by Francesco Carlucci and kaminuma
- An authorization bypass on the Notes feature reported by kaminuma
- An XXE in the external getID3 library reported by Youssef Achtatal
The WordPress security team have worked with the maintainer of the external getID3 library, James Heinrich, to coordinate a fix to getID3. A new version of getID3 is available here.
As a courtesy, these fixes are being backported, where necessary, to all branches eligible to receive security fixes (currently through 4.7). As a reminder, only the most recent version of WordPress is actively supported.
Change log
List of files revised
/wp-admin/includes/class-walker-nav-menu-checklist.php
/wp-admin/includes/class-walker-nav-menu-edit.php
/wp-admin/includes/file.php
/wp-includes/html-api
/wp-includes/class-wp-html-tag-processor.php
/wp-includes/ID3/getid3.lib.php
/wp-includes/interactivity-api/class-wp-interactivity-api.php
/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
/wp-includes/class-wp-block-patterns-registry.php
/wp-includes/class-wp-http-ixr-client.php
/wp-includes/kses.php
/wp-includes/media.php
/wp-includes/nav-menu.php
/wp-includes/template-loader.php
List of packages revised
No package was revised.
