WordPress 6.9.4 Security Release: Three CVEs and a Triple Patch Chaos
WordPress released versions 6.9.2, 6.9.3, and 6.9.4 within roughly 24 hours in March 2026. Three CVEs were only partially fixed in the first two releases, leaving millions of sites exposed until 6.9.4 shipped.
What Happened in March 2026
WordPress released version 6.9.2 on March 11, 2026 to address a set of security vulnerabilities. Within hours, it became clear that three of those vulnerabilities had not been fully resolved. WordPress then released 6.9.3 the same day, followed by 6.9.4 the following day. All three releases happened within approximately 24 hours, a sequence that created significant confusion among site administrators and hosting providers.
The only version that is fully safe as of April 2026 is WordPress 6.9.4. Any site running 6.9, 6.9.1, 6.9.2, or 6.9.3 remains vulnerable to at least one of the three CVEs described below.
CVE-2026-3906: Notes Authorization Bypass
This vulnerability exists in the Notes feature introduced in WordPress 6.9, which allows block-level collaboration annotations. The REST API create_item_permissions_check() method in the comments controller did not verify that the authenticated user has edit_post permission on the target post when creating a note.
An authenticated attacker with Subscriber-level access could create notes on any post, including posts authored by other users, private posts, and posts in any publication status. CVSS score: 6.4 (Medium). Requires authentication.
CVE-2026-3907: PclZip Path Traversal
A path traversal vulnerability in the PclZip library bundled with WordPress core. The flaw allows an attacker with access to the theme or plugin installation interface to extract archive files to arbitrary locations on the server. CVSS score: 8.1 (High). Requires Administrator-level access.
CVE-2026-3908: getID3 XXE Injection
An XML External Entity (XXE) injection vulnerability in the getID3 library used by WordPress for media file metadata parsing. A crafted media file uploaded by a user with upload permissions can trigger external entity resolution, potentially exposing sensitive server files. CVSS score: 7.5 (High). Requires Contributor-level access or higher.
What You Must Do Now
If your site is running any version of WordPress earlier than 6.9.4, update immediately. All three vulnerabilities require authentication, which limits the immediate risk, but subscriber-level access is easily obtained on sites with open registration. Check your WordPress admin panel now and apply the update.
ScanMyWordPress users on Pro and Lifetime plans received an automatic alert when 6.9.4 was released. If you are not yet monitoring your WordPress core version automatically, this incident is a clear example of why you should be.