www/wordpress: upgrade to 6.9.4 (security)
Upstream does not offer localized tarballs for 6.9.4, so download the
6.9.1 tarballs and apply files/patch-6.9.1-to-6.9.4 instead.
Security fixes in 6.9.2:
- Blind SSRF
- PoP-chain weakness in HTML API and Block Registry
- Regex DoS in Numeric Character References
- Stored XSS in Nav Menus
- AJAX query-attachments Authorization Bypass
- Stored XSS via data-wp-bind directive
- XSS allowing override of client-side templates in admin area
- PclZip Path Traversal
- Authorization Bypass on Notes feature
- XXE in external getID3 library
Bug fix in 6.9.3:
- Restore compatibility for themes using stringable objects with the template_include filter (regression introduced in 6.9.2)
Security fixes in 6.9.4 (incomplete fixes from 6.9.2 re-addressed):
- PclZip Path Traversal
- Authorization Bypass on Notes feature
- XXE in external getID3 library