From nobody Thu Mar 12 03:57:23 2026
X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fWYjH2JTyz6VYNr
	for <dev-commits-ports-main@mlmmj.nyi.freebsd.org>; Thu, 12 Mar 2026 03:57:23 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4fWYjH21Hwz3lWD
	for <dev-commits-ports-main@FreeBSD.org>; Thu, 12 Mar 2026 03:57:23 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1773287843;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=sfO2JzJEYnP72bkjol5uSokanvQBK8SmzNGmuhVfYsY=;
	b=PEKYq+WR1QE5/3Kf6o+OGebk++VUSgDM/rh9t0G0LDl8r9YU2z/CU8yNeL/F2yee3cQEYk
	uwXysnCSNhPLj6ACRJp4ML3bN11lJVTVm93m3BSOwtUo3sqVEz4+GmoL0YkC3kV8er5FFv
	nDVY28XBGhn8GfcKHHUpxxjuk1N84mTUd6+s6EwwU9IGvR2fNbv4i/PAU0DYHeP/t7I6Ax
	JYD7r7ARLjiMQ6qmzywFksxMc6EZvHD8vJrX8jN6BP35HirI3DjnjK/tb2r1b0kQ3ZTjIR
	IYSHDnagW8xKdXrXMDtMW8eipquNuGeFoaVc+SnCEghwXqa2Nad8ILURH/QeMA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1773287843; a=rsa-sha256; cv=none;
	b=u8Ie/p+7iL92mTshtVta/QJqZ6QwC7lnUWQuOv1UsApYTLfUv+NEdAyUPrh62aL3nGURRc
	sIjr5AcOWHdE/HhGrNxXHVpBBt+HCTyAGOyHEYhoOsxrIy6yl/AF+okX0VlImt9NKmRa8V
	DquojDwLwwv6x0lQwvbIW0ogtO+73mWu6aecIkVu4jl/llos9Xfv4cdr1S083tZTyXo5Or
	XDATgRoA0QHKEtSbLvX6j5vMKwvvobhLj31o+FMo0oXOx/kijraMuXTc1EI+n0l8dhBk4d
	V3uUTSH1FqyMTIpsNtoFNB/7/CtrRKRxP33BHwfXCvLwQukWRxRCPG2YmLS2CQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1773287843;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=sfO2JzJEYnP72bkjol5uSokanvQBK8SmzNGmuhVfYsY=;
	b=nvlFoBHg27E6Rqmt7fhmwR5J33UP9zyzJbbyTXQUoJADrrCf0Kt/A2g1pP1fjKjrKqo8gE
	YgM3V0HZT1zScduncy+LRJ7v4+xjuVWOaMIzhQheM1wxaW9oO7j3Wl+OiGQBPvCRMjhTJe
	VnO6hFr8QF305HH1fZrFsGkaIl9qqpldsfcFJfumXEHizKfeHGTqSF2jwUjNxzAYljwLW2
	P5oyHzy0N/jQ2Sukm+w0RTtffFyUjYv4dBgkPqTxh9dZ1AvmXIWQcIE4tJS7X+ojOUv6Rl
	T3mp+VY1prSogHwmgpZI1AP6fHb3b3TRofm9EECqtJIdkFgaVJxOIM/7zD7s4g==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fWYjH1Wf5zClh
	for <dev-commits-ports-main@FreeBSD.org>; Thu, 12 Mar 2026 03:57:23 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 43728
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Thu, 12 Mar 2026 03:57:23 +0000
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
From: Xin LI <delphij@FreeBSD.org>
Subject: git: 122fc90edc01 - main - www/wordpress: upgrade to 6.9.4 (security)
List-Id: Commits to the main branch of the FreeBSD ports repository <dev-commits-ports-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main
List-Help: <mailto:dev-commits-ports-main+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-ports-main@freebsd.org
Sender: owner-dev-commits-ports-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: delphij
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 122fc90edc012755d590b9351834cc3f34ddf439
Auto-Submitted: auto-generated
Date: Thu, 12 Mar 2026 03:57:23 +0000
Message-Id: <69b239a3.43728.549e6c2f@gitrepo.freebsd.org>

The branch main has been updated by delphij:

URL: https://cgit.FreeBSD.org/ports/commit/?id=122fc90edc012755d590b9351834cc3f34ddf439

commit 122fc90edc012755d590b9351834cc3f34ddf439
Author:     Xin LI <delphij@FreeBSD.org>
AuthorDate: 2026-03-12 03:57:10 +0000
Commit:     Xin LI <delphij@FreeBSD.org>
CommitDate: 2026-03-12 03:57:10 +0000

    www/wordpress: upgrade to 6.9.4 (security)
    
    Upstream does not offer localized tarballs for 6.9.4, so download the
    6.9.1 tarballs and apply files/patch-6.9.1-to-6.9.4 instead.
    
    Security fixes in 6.9.2:
    - Blind SSRF
    - PoP-chain weakness in HTML API and Block Registry
    - Regex DoS in Numeric Character References
    - Stored XSS in Nav Menus
    - AJAX query-attachments Authorization Bypass
    - Stored XSS via data-wp-bind directive
    - XSS allowing override of client-side templates in admin area
    - PclZip Path Traversal
    - Authorization Bypass on Notes feature
    - XXE in external getID3 library
    
    Bug fix in 6.9.3:
    - Restore compatibility for themes using stringable objects with the
      template_include filter (regression introduced in 6.9.2)
    
    Security fixes in 6.9.4 (incomplete fixes from 6.9.2 re-addressed):
    - PclZip Path Traversal
    - Authorization Bypass on Notes feature
    - XXE in external getID3 library
---
 www/wordpress/Makefile                   |   9 +-
 www/wordpress/files/patch-6.9.1-to-6.9.4 | 373 +++++++++++++++++++++++++++++++
 2 files changed, 378 insertions(+), 4 deletions(-)

diff --git a/www/wordpress/Makefile b/www/wordpress/Makefile
index ebc233f89344..6779e5eb39ac 100644
--- a/www/wordpress/Makefile
+++ b/www/wordpress/Makefile
@@ -1,11 +1,12 @@
 PORTNAME=	wordpress
-DISTVERSION=	6.9.1
+PORTVERSION=	6.9.4
 PORTREVISION?=	0
 .ifndef WORDPRESS_LANG
+DISTNAME=	wordpress-6.9.1
 PORTEPOCH=	1
 MASTER_SITES=	https://wordpress.org/
 .else
-DISTVERSIONSUFFIX=	-${WORDPRESS_LANG}
+DISTNAME=	wordpress-6.9.1-${WORDPRESS_LANG}
 MASTER_SITES?=	https://${WORDPRESS_LANG}.wordpress.org/
 .endif
 CATEGORIES+=	www
@@ -20,8 +21,8 @@ LICENSE_FILE=	${WRKSRC}/license.txt
 RUN_DEPENDS=	${PECL_PKGNAMEPREFIX}imagick>=2.2.2:graphics/pecl-imagick@${PHP_FLAVOR}
 
 USES=		cpe php:web
-.if ${DISTVERSION:N*.*.*}
-CPE_VERSION=	${DISTVERSION}.0
+.if ${PORTVERSION:N*.*.*}
+CPE_VERSION=	${PORTVERSION}.0
 .endif
 
 .ifdef WORDPRESS_LANG
diff --git a/www/wordpress/files/patch-6.9.1-to-6.9.4 b/www/wordpress/files/patch-6.9.1-to-6.9.4
new file mode 100644
index 000000000000..9e5aa53c8598
--- /dev/null
+++ b/www/wordpress/files/patch-6.9.1-to-6.9.4
@@ -0,0 +1,373 @@
+--- wp-admin/about.php.orig	2026-02-03 17:29:37 UTC
++++ wp-admin/about.php
+@@ -60,16 +60,81 @@ require_once ABSPATH . 'wp-admin/admin-header.php';
+ 			<a href="contribute.php" class="nav-tab"><?php _e( 'Get Involved' ); ?></a>
+ 		</nav>
+ 
+-        <div class="about__section changelog has-subtle-background-color">
++		<div class="about__section changelog has-subtle-background-color">
+ 			<div class="column">
+-				<h2><?php _e( 'Maintenance and Security Release' ); ?></h2>
++				<h2><?php _e( 'Maintenance and Security Releases' ); ?></h2>
+ 				<p>
+ 					<?php
+ 					printf(
+-						 /* translators: 1: WordPress version number, 2: Plural number of bugs. */
+-						 _n(
++						/* translators: %s: WordPress version. */
++						__( '<strong>Version %s</strong> addressed some security issues.' ),
++						'6.9.4'
++					);
++					?>
++					<?php
++					printf(
++						/* translators: %s: HelpHub URL. */
++						__( 'For more information, see <a href="%s">the release notes</a>.' ),
++						sprintf(
++							/* translators: %s: WordPress version. */
++							esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
++							sanitize_title( '6.9.4' )
++						)
++					);
++					?>
++				</p>
++				<p>
++					<?php
++					printf(
++						/* translators: %s: WordPress version. */
++						_n(
+ 							'<strong>Version %1$s</strong> addressed %2$s bug.',
+ 							'<strong>Version %1$s</strong> addressed %2$s bugs.',
++							1
++						),
++						'6.9.3',
++						1
++					);
++					?>
++					<?php
++					printf(
++						/* translators: %s: HelpHub URL. */
++						__( 'For more information, see <a href="%s">the release notes</a>.' ),
++						sprintf(
++							/* translators: %s: WordPress version. */
++							esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
++							sanitize_title( '6.9.3' )
++						)
++					);
++					?>
++				</p>
++				<p>
++					<?php
++					printf(
++						/* translators: %s: WordPress version. */
++						__( '<strong>Version %s</strong> addressed some security issues.' ),
++						'6.9.2'
++					);
++					?>
++					<?php
++					printf(
++						/* translators: %s: HelpHub URL. */
++						__( 'For more information, see <a href="%s">the release notes</a>.' ),
++						sprintf(
++							/* translators: %s: WordPress version. */
++							esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
++							sanitize_title( '6.9.2' )
++						)
++					);
++					?>
++				</p>
++				<p>
++					<?php
++					printf(
++						/* translators: 1: WordPress version number, 2: Plural number of bugs. */
++						_n(
++							'<strong>Version %1$s</strong> addressed %2$s bug.',
++							'<strong>Version %1$s</strong> addressed %2$s bugs.',
+ 							49
+ 						),
+ 						'6.9.1',
+@@ -78,9 +143,9 @@ require_once ABSPATH . 'wp-admin/admin-header.php';
+ 					?>
+ 					<?php
+ 					printf(
+-						 /* translators: %s: HelpHub URL. */
+-						 __( 'For more information, see <a href="%s">the release notes</a>.' ),
+-						 sprintf(
++						/* translators: %s: HelpHub URL. */
++						__( 'For more information, see <a href="%s">the release notes</a>.' ),
++						sprintf(
+ 							/* translators: %s: WordPress version. */
+ 							esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ),
+ 							sanitize_title( '6.9.1' )
+--- wp-admin/includes/class-walker-nav-menu-checklist.php.orig	2025-05-01 19:26:29 UTC
++++ wp-admin/includes/class-walker-nav-menu-checklist.php
+@@ -116,11 +116,11 @@ class Walker_Nav_Menu_Checklist extends Walker_Nav_Men
+ 		$output .= '<input type="hidden" class="menu-item-object" name="menu-item[' . $possible_object_id . '][menu-item-object]" value="' . esc_attr( $menu_item->object ) . '" />';
+ 		$output .= '<input type="hidden" class="menu-item-parent-id" name="menu-item[' . $possible_object_id . '][menu-item-parent-id]" value="' . esc_attr( $menu_item->menu_item_parent ) . '" />';
+ 		$output .= '<input type="hidden" class="menu-item-type" name="menu-item[' . $possible_object_id . '][menu-item-type]" value="' . esc_attr( $menu_item->type ) . '" />';
+-		$output .= '<input type="hidden" class="menu-item-title" name="menu-item[' . $possible_object_id . '][menu-item-title]" value="' . esc_attr( $menu_item->title ) . '" />';
++		$output .= '<input type="hidden" class="menu-item-title" name="menu-item[' . $possible_object_id . '][menu-item-title]" value="' . htmlspecialchars( $menu_item->title, ENT_QUOTES ) . '" />';
+ 		$output .= '<input type="hidden" class="menu-item-url" name="menu-item[' . $possible_object_id . '][menu-item-url]" value="' . esc_url( $menu_item->url ) . '" />';
+ 		$output .= '<input type="hidden" class="menu-item-target" name="menu-item[' . $possible_object_id . '][menu-item-target]" value="' . esc_attr( $menu_item->target ) . '" />';
+-		$output .= '<input type="hidden" class="menu-item-attr-title" name="menu-item[' . $possible_object_id . '][menu-item-attr-title]" value="' . esc_attr( $menu_item->attr_title ) . '" />';
+-		$output .= '<input type="hidden" class="menu-item-classes" name="menu-item[' . $possible_object_id . '][menu-item-classes]" value="' . esc_attr( implode( ' ', $menu_item->classes ) ) . '" />';
+-		$output .= '<input type="hidden" class="menu-item-xfn" name="menu-item[' . $possible_object_id . '][menu-item-xfn]" value="' . esc_attr( $menu_item->xfn ) . '" />';
++		$output .= '<input type="hidden" class="menu-item-attr-title" name="menu-item[' . $possible_object_id . '][menu-item-attr-title]" value="' . htmlspecialchars( $menu_item->attr_title, ENT_QUOTES ) . '" />';
++		$output .= '<input type="hidden" class="menu-item-classes" name="menu-item[' . $possible_object_id . '][menu-item-classes]" value="' . htmlspecialchars( implode( ' ', $menu_item->classes ), ENT_QUOTES ) . '" />';
++		$output .= '<input type="hidden" class="menu-item-xfn" name="menu-item[' . $possible_object_id . '][menu-item-xfn]" value="' . htmlspecialchars( $menu_item->xfn, ENT_QUOTES ) . '" />';
+ 	}
+ }
+--- wp-admin/includes/class-walker-nav-menu-edit.php.orig	2025-05-01 19:26:29 UTC
++++ wp-admin/includes/class-walker-nav-menu-edit.php
+@@ -203,13 +203,13 @@ class Walker_Nav_Menu_Edit extends Walker_Nav_Menu {
+ 				<p class="description description-wide">
+ 					<label for="edit-menu-item-title-<?php echo $item_id; ?>">
+ 						<?php _e( 'Navigation Label' ); ?><br />
+-						<input type="text" id="edit-menu-item-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-title" name="menu-item-title[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $menu_item->title ); ?>" />
++						<input type="text" id="edit-menu-item-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-title" name="menu-item-title[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $menu_item->title, ENT_QUOTES ); ?>" />
+ 					</label>
+ 				</p>
+ 				<p class="field-title-attribute field-attr-title description description-wide">
+ 					<label for="edit-menu-item-attr-title-<?php echo $item_id; ?>">
+ 						<?php _e( 'Title Attribute' ); ?><br />
+-						<input type="text" id="edit-menu-item-attr-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-attr-title" name="menu-item-attr-title[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $menu_item->post_excerpt ); ?>" />
++						<input type="text" id="edit-menu-item-attr-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-attr-title" name="menu-item-attr-title[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $menu_item->post_excerpt, ENT_QUOTES ); ?>" />
+ 					</label>
+ 				</p>
+ 				<p class="field-link-target description">
+@@ -222,20 +222,20 @@ class Walker_Nav_Menu_Edit extends Walker_Nav_Menu {
+ 					<p class="field-css-classes description description-thin">
+ 						<label for="edit-menu-item-classes-<?php echo $item_id; ?>">
+ 							<?php _e( 'CSS Classes (optional)' ); ?><br />
+-							<input type="text" id="edit-menu-item-classes-<?php echo $item_id; ?>" class="widefat code edit-menu-item-classes" name="menu-item-classes[<?php echo $item_id; ?>]" value="<?php echo esc_attr( implode( ' ', $menu_item->classes ) ); ?>" />
++							<input type="text" id="edit-menu-item-classes-<?php echo $item_id; ?>" class="widefat code edit-menu-item-classes" name="menu-item-classes[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( implode( ' ', $menu_item->classes ), ENT_QUOTES ); ?>" />
+ 						</label>
+ 					</p>
+ 					<p class="field-xfn description description-thin">
+ 						<label for="edit-menu-item-xfn-<?php echo $item_id; ?>">
+ 							<?php _e( 'Link Relationship (XFN)' ); ?><br />
+-							<input type="text" id="edit-menu-item-xfn-<?php echo $item_id; ?>" class="widefat code edit-menu-item-xfn" name="menu-item-xfn[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $menu_item->xfn ); ?>" />
++							<input type="text" id="edit-menu-item-xfn-<?php echo $item_id; ?>" class="widefat code edit-menu-item-xfn" name="menu-item-xfn[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $menu_item->xfn, ENT_QUOTES ); ?>" />
+ 						</label>
+ 					</p>
+ 				</div>
+ 				<p class="field-description description description-wide">
+ 					<label for="edit-menu-item-description-<?php echo $item_id; ?>">
+ 						<?php _e( 'Description' ); ?><br />
+-						<textarea id="edit-menu-item-description-<?php echo $item_id; ?>" class="widefat edit-menu-item-description" rows="3" cols="20" name="menu-item-description[<?php echo $item_id; ?>]"><?php echo esc_html( $menu_item->description ); // textarea_escaped ?></textarea>
++						<textarea id="edit-menu-item-description-<?php echo $item_id; ?>" class="widefat edit-menu-item-description" rows="3" cols="20" name="menu-item-description[<?php echo $item_id; ?>]"><?php echo esc_textarea( $menu_item->description ); // textarea_escaped ?></textarea>
+ 						<span class="description"><?php _e( 'The description will be displayed in the menu if the active theme supports it.' ); ?></span>
+ 					</label>
+ 				</p>
+--- wp-admin/includes/file.php.orig	2025-06-14 05:04:28 UTC
++++ wp-admin/includes/file.php
+@@ -1901,6 +1901,11 @@ function _unzip_file_pclzip( $file, $to, $needed_dirs 
+ 			continue;
+ 		}
+ 
++		// Don't extract invalid files:
++		if ( 0 !== validate_file( $file['filename'] ) ) {
++			continue;
++		}
++
+ 		$uncompressed_size += $file['size'];
+ 
+ 		$needed_dirs[] = $to . untrailingslashit( $file['folder'] ? $file['filename'] : dirname( $file['filename'] ) );
+--- wp-includes/ID3/getid3.lib.php.orig	2025-11-24 18:38:31 UTC
++++ wp-includes/ID3/getid3.lib.php
+@@ -13,9 +13,9 @@ if (!defined('GETID3_LIBXML_OPTIONS') && defined('LIBX
+ 
+ if (!defined('GETID3_LIBXML_OPTIONS') && defined('LIBXML_VERSION')) {
+ 	if (LIBXML_VERSION >= 20621) {
+-		define('GETID3_LIBXML_OPTIONS', LIBXML_NOENT | LIBXML_NONET | LIBXML_NOWARNING | LIBXML_COMPACT);
++		define('GETID3_LIBXML_OPTIONS', LIBXML_NONET | LIBXML_NOWARNING | LIBXML_COMPACT);
+ 	} else {
+-		define('GETID3_LIBXML_OPTIONS', LIBXML_NOENT | LIBXML_NONET | LIBXML_NOWARNING);
++		define('GETID3_LIBXML_OPTIONS', LIBXML_NONET | LIBXML_NOWARNING);
+ 	}
+ }
+ 
+--- wp-includes/class-wp-block-patterns-registry.php.orig	2025-10-06 11:31:33 UTC
++++ wp-includes/class-wp-block-patterns-registry.php
+@@ -173,12 +173,23 @@ final class WP_Block_Patterns_Registry {
+ 		} else {
+ 			$patterns = &$this->registered_patterns;
+ 		}
+-		if ( ! isset( $patterns[ $pattern_name ]['content'] ) && isset( $patterns[ $pattern_name ]['filePath'] ) ) {
++
++		$file_path    = $patterns[ $pattern_name ]['filePath'] ?? '';
++		$is_stringy   = is_string( $file_path ) || ( is_object( $file_path ) && method_exists( $file_path, '__toString' ) );
++		$pattern_path = $is_stringy ? realpath( (string) $file_path ) : null;
++		if (
++			! isset( $patterns[ $pattern_name ]['content'] ) &&
++			is_string( $pattern_path ) &&
++			( str_ends_with( $pattern_path, '.php' ) || str_ends_with( $pattern_path, '.html' ) ) &&
++			is_file( $pattern_path ) &&
++			is_readable( $pattern_path )
++		) {
+ 			ob_start();
+ 			include $patterns[ $pattern_name ]['filePath'];
+ 			$patterns[ $pattern_name ]['content'] = ob_get_clean();
+ 			unset( $patterns[ $pattern_name ]['filePath'] );
+ 		}
++
+ 		return $patterns[ $pattern_name ]['content'];
+ 	}
+ 
+--- wp-includes/class-wp-http-ixr-client.php.orig	2022-09-12 15:47:14 UTC
++++ wp-includes/class-wp-http-ixr-client.php
+@@ -89,7 +89,7 @@ class WP_HTTP_IXR_Client extends IXR_Client {
+ 			echo '<pre class="ixr_request">' . htmlspecialchars( $xml ) . "\n</pre>\n\n";
+ 		}
+ 
+-		$response = wp_remote_post( $url, $args );
++		$response = wp_safe_remote_post( $url, $args );
+ 
+ 		if ( is_wp_error( $response ) ) {
+ 			$errno       = $response->get_error_code();
+--- wp-includes/html-api/class-wp-html-tag-processor.php.orig	2025-12-04 07:58:36 UTC
++++ wp-includes/html-api/class-wp-html-tag-processor.php
+@@ -4680,4 +4680,13 @@ class WP_HTML_Tag_Processor {
+ 	 * @since 6.7.0
+ 	 */
+ 	const TEXT_IS_WHITESPACE = 'TEXT_IS_WHITESPACE';
++
++	/**
++	 * Wakeup magic method.
++	 *
++	 * @since 6.9.2
++	 */
++	public function __wakeup() {
++		throw new \LogicException( __CLASS__ . ' should never be unserialized' );
++	}
+ }
+--- wp-includes/interactivity-api/class-wp-interactivity-api.php.orig	2025-11-10 22:24:34 UTC
++++ wp-includes/interactivity-api/class-wp-interactivity-api.php
+@@ -1032,6 +1032,20 @@ final class WP_Interactivity_API {
+ 						return;
+ 				}
+ 
++				// Skip if the suffix is an event handler.
++				if ( str_starts_with( $entry['suffix'], 'on' ) ) {
++					_doing_it_wrong(
++						__METHOD__,
++						sprintf(
++							/* translators: %s: The directive, e.g. data-wp-on--click. */
++							__( 'Binding event handler attributes is not supported. Please use "%s" instead.' ),
++							esc_attr( 'data-wp-on--' . substr( $entry['suffix'], 2 ) )
++						),
++						'6.9.2'
++					);
++					continue;
++				}
++
+ 				$result = $this->evaluate( $entry );
+ 
+ 				if (
+--- wp-includes/js/wp-util.js.orig	2022-09-20 03:52:10 UTC
++++ wp-includes/js/wp-util.js
+@@ -36,10 +36,11 @@ window.wp = window.wp || {};
+ 			};
+ 
+ 		return function ( data ) {
+-			if ( ! document.getElementById( 'tmpl-' + id ) ) {
++			var el = document.querySelector( 'script#tmpl-' + id );
++			if ( ! el ) {
+ 				throw new Error( 'Template not found: ' + '#tmpl-' + id );
+ 			}
+-			compiled = compiled || _.template( $( '#tmpl-' + id ).html(),  options );
++			compiled = compiled || _.template( $( el ).html(), options );
+ 			return compiled( data );
+ 		};
+ 	});
+--- wp-includes/js/wp-util.min.js.orig	2025-02-06 17:27:26 UTC
++++ wp-includes/js/wp-util.min.js
+@@ -1,2 +1,2 @@
+ /*! This file is auto-generated */
+-window.wp=window.wp||{},function(s){var t="undefined"==typeof _wpUtilSettings?{}:_wpUtilSettings;wp.template=_.memoize(function(e){var n,a={evaluate:/<#([\s\S]+?)#>/g,interpolate:/\{\{\{([\s\S]+?)\}\}\}/g,escape:/\{\{([^\}]+?)\}\}(?!\})/g,variable:"data"};return function(t){if(document.getElementById("tmpl-"+e))return(n=n||_.template(s("#tmpl-"+e).html(),a))(t);throw new Error("Template not found: #tmpl-"+e)}}),wp.ajax={settings:t.ajax||{},post:function(t,e){return wp.ajax.send({data:_.isObject(t)?t:_.extend(e||{},{action:t})})},send:function(a,t){var e,n;return _.isObject(a)?t=a:(t=t||{}).data=_.extend(t.data||{},{action:a}),t=_.defaults(t||{},{type:"POST",url:wp.ajax.settings.url,context:this}),(e=(n=s.Deferred(function(n){t.success&&n.done(t.success),t.error&&n.fail(t.error),delete t.success,delete t.error,n.jqXHR=s.ajax(t).done(function(t){var e;"1"!==t&&1!==t||(t={success:!0}),_.isObject(t)&&!_.isUndefined(t.success)?(e=this,n.done(function(){a&&a.data&&"query-attachm
ents"===a.data.action&&n.jqXHR.hasOwnProperty("getResponseHeader")&&n.jqXHR.getResponseHeader("X-WP-Total")?e.totalAttachments=parseInt(n.jqXHR.getResponseHeader("X-WP-Total"),10):e.totalAttachments=0}),n[t.success?"resolveWith":"rejectWith"](this,[t.data])):n.rejectWith(this,[t])}).fail(function(){n.rejectWith(this,arguments)})})).promise()).abort=function(){return n.jqXHR.abort(),this},e}}}(jQuery);
+\ No newline at end of file
++window.wp=window.wp||{},function(r){var t="undefined"==typeof _wpUtilSettings?{}:_wpUtilSettings;wp.template=_.memoize(function(a){var n,s={evaluate:/<#([\s\S]+?)#>/g,interpolate:/\{\{\{([\s\S]+?)\}\}\}/g,escape:/\{\{([^\}]+?)\}\}(?!\})/g,variable:"data"};return function(t){var e=document.querySelector("script#tmpl-"+a);if(e)return(n=n||_.template(r(e).html(),s))(t);throw new Error("Template not found: #tmpl-"+a)}}),wp.ajax={settings:t.ajax||{},post:function(t,e){return wp.ajax.send({data:_.isObject(t)?t:_.extend(e||{},{action:t})})},send:function(n,t){var e,a;return _.isObject(n)?t=n:(t=t||{}).data=_.extend(t.data||{},{action:n}),t=_.defaults(t||{},{type:"POST",url:wp.ajax.settings.url,context:this}),(e=(a=r.Deferred(function(a){t.success&&a.done(t.success),t.error&&a.fail(t.error),delete t.success,delete t.error,a.jqXHR=r.ajax(t).done(function(t){var e;"1"!==t&&1!==t||(t={success:!0}),_.isObject(t)&&!_.isUndefined(t.success)?(e=this,a.done(function(){n&&n.data&&"query-at
tachments"===n.data.action&&a.jqXHR.hasOwnProperty("getResponseHeader")&&a.jqXHR.getResponseHeader("X-WP-Total")?e.totalAttachments=parseInt(a.jqXHR.getResponseHeader("X-WP-Total"),10):e.totalAttachments=0}),a[t.success?"resolveWith":"rejectWith"](this,[t.data])):a.rejectWith(this,[t])}).fail(function(){a.rejectWith(this,arguments)})})).promise()).abort=function(){return a.jqXHR.abort(),this},e}}}(jQuery);
+\ No newline at end of file
+--- wp-includes/kses.php.orig	2025-10-22 21:02:35 UTC
++++ wp-includes/kses.php
+@@ -2201,8 +2201,8 @@ function wp_kses_normalize_entities( $content, $contex
+ 	 *
+ 	 * Here, each input is normalized to an appropriate output.
+ 	 */
+-	$content = preg_replace_callback( '/&amp;#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $content );
+-	$content = preg_replace_callback( '/&amp;#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $content );
++	$content = preg_replace_callback( '/&amp;#(0*[1-9][0-9]{0,6});/', 'wp_kses_normalize_entities2', $content );
++	$content = preg_replace_callback( '/&amp;#[Xx](0*[1-9A-Fa-f][0-9A-Fa-f]{0,5});/', 'wp_kses_normalize_entities3', $content );
+ 	if ( 'xml' === $context ) {
+ 		$content = preg_replace_callback( '/&amp;([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_xml_named_entities', $content );
+ 	} else {
+--- wp-includes/media.php.orig	2025-12-01 14:29:25 UTC
++++ wp-includes/media.php
+@@ -4570,7 +4570,7 @@ function wp_prepare_attachment_for_js( $attachment ) {
+ 
+ 	if ( $attachment->post_parent ) {
+ 		$post_parent = get_post( $attachment->post_parent );
+-		if ( $post_parent ) {
++		if ( $post_parent && current_user_can( 'read_post', $attachment->post_parent ) ) {
+ 			$response['uploadedToTitle'] = $post_parent->post_title ? $post_parent->post_title : __( '(no title)' );
+ 			$response['uploadedToLink']  = get_edit_post_link( $attachment->post_parent, 'raw' );
+ 		}
+--- wp-includes/nav-menu.php.orig	2024-08-05 19:00:19 UTC
++++ wp-includes/nav-menu.php
+@@ -514,7 +514,7 @@ function wp_update_nav_menu_item( $menu_id = 0, $menu_
+ 			}
+ 		}
+ 
+-		if ( wp_unslash( $args['menu-item-title'] ) === wp_specialchars_decode( $original_title ) ) {
++		if ( wp_unslash( $args['menu-item-title'] ) === $original_title ) {
+ 			$args['menu-item-title'] = '';
+ 		}
+ 
+--- wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php.orig	2025-11-25 01:22:32 UTC
++++ wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
+@@ -560,6 +560,14 @@ class WP_REST_Comments_Controller extends WP_REST_Cont
+ 			}
+ 		}
+ 
++		if ( $is_note && ! empty( $request['post'] ) && ! current_user_can( 'edit_post', (int) $request['post'] ) ) {
++			return new WP_Error(
++				'rest_cannot_create_note',
++				__( 'Sorry, you are not allowed to create notes for this post.' ),
++				array( 'status' => rest_authorization_required_code() )
++			);
++		}
++
+ 		$edit_cap = $is_note ? array( 'edit_post', (int) $request['post'] ) : array( 'moderate_comments' );
+ 		if ( isset( $request['status'] ) && ! current_user_can( ...$edit_cap ) ) {
+ 			return new WP_Error(
+--- wp-includes/template-loader.php.orig	2025-10-15 17:14:39 UTC
++++ wp-includes/template-loader.php
+@@ -111,8 +111,15 @@ if ( wp_using_themes() ) {
+ 	 *
+ 	 * @param string $template The path of the template to include.
+ 	 */
+-	$template = apply_filters( 'template_include', $template );
+-	if ( $template ) {
++	$template   = apply_filters( 'template_include', $template );
++	$is_stringy = is_string( $template ) || ( is_object( $template ) && method_exists( $template, '__toString' ) );
++	$template   = $is_stringy ? realpath( (string) $template ) : null;
++	if (
++		is_string( $template ) &&
++		( str_ends_with( $template, '.php' ) || str_ends_with( $template, '.html' ) ) &&
++		is_file( $template ) &&
++		is_readable( $template )
++	) {
+ 		/**
+ 		 * Fires immediately before including the template.
+ 		 *
+--- wp-includes/version.php.orig	2026-02-03 17:29:37 UTC
++++ wp-includes/version.php
+@@ -16,7 +16,7 @@
+  *
+  * @global string $wp_version
+  */
+-$wp_version = '6.9.1';
++$wp_version = '6.9.4';
+ 
+ /**
+  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.