WordPress 6.9.2 Patches 11 Vulnerabilities Including Blind SSRF, XSS, and Path Traversal
WordPress 6.9.2, a security release fixing 11 vulnerabilities including a blind SSRF, stored XSS, path traversal, and an XXE in the bundled getID3 library, is available now with an urgent recommendation to update.
WordPress 6.9.2 is now available as a security release that patches 11 distinct vulnerabilities, addressing issues ranging from server-side request forgery and cross-site scripting to path traversal and XML external entity injection. The WordPress security team strongly recommends that all sites update immediately, as some of the flaws could allow unauthenticated attackers to compromise affected installations.
Among the most critical fixes is a blind Server-Side Request Forgery (SSRF) vulnerability reported by researcher sibwtf, and subsequently flagged by several other researchers while the fix was being developed. A blind SSRF can be leveraged to probe internal networks, access cloud metadata endpoints, or perform port scans from the server, potentially leading to lateral movement or data exfiltration.
The release also addresses a POP-chain weakness in the HTML API and Block Registry, reported by Phat RiO. POP chains — or Property-Oriented Programming chains — are a code-reuse technique that attackers can exploit to achieve arbitrary code execution when combined with deserialization of untrusted data. This vulnerability was found in core WordPress components, making it a significant concern for sites running custom plugins or themes that interact with these APIs.
Several cross-site scripting (XSS) vulnerabilities were also patched. Stored XSS in navigation menus, reported by Phill Savage, could allow an attacker with low-level access to inject malicious scripts that execute when administrators view affected menu entries. A separate stored XSS issue via the `data-wp-bind` directive, reported by kaminuma, and an XSS allowing client-side template override in the admin area, reported by Asaf Mozes, were also fixed. These could be used to hijack sessions, deface sites, or deliver malware to visitors.
An AJAX query-attachments authorization bypass, reported by Vitaly Simonovich, and an authorization bypass on the Notes feature, reported by kaminuma, round out the access-control fixes. These could allow authenticated users to access or modify resources they should not have permission to, potentially exposing draft content, media libraries, or private notes.
A PclZip path traversal issue, reported independently by Francesco Carlucci and kaminuma, could allow an attacker to write files to arbitrary directories on the server during archive extraction, a classic vector for achieving remote code execution in poorly configured environments. Additionally, an XXE vulnerability in the external getID3 library, reported by Youssef Achtatal, could be exploited to read arbitrary files or trigger denial-of-service conditions via malicious media files.
The WordPress security team coordinated with the maintainer of the getID3 library, James Heinrich, to release a patched version. Security fixes are being backported to all supported branches going back to WordPress 4.7, though only the latest version receives active support.
Site administrators are urged to update to WordPress 6.9.2 immediately via the WordPress Dashboard or by downloading from WordPress.org. Given the breadth of vulnerabilities patched — spanning unauthenticated, authenticated, client-side, and server-side attack vectors — delaying the update leaves sites exposed to a wide range of exploit techniques.