fix(deps): ⬆️ bump roots/wordpress to v6.9.3

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
roots/wordpress (source)	6.9.1 → 6.9.3

---

Release Notes

roots/wordpress (roots/wordpress)

v6.9.3: Version 6.9.3

Compare Source

Sourced from WordPress.org Documentation.

Summary

This release features a bugfix for some themes that use an unusual &#​8220;stringable object&#​8221; mechanism when loading template file paths that broke in the 6.9.2 security release. Although this is is not an officially supported approach to loading template files in WordPress (the template_include filter only accepts a string), it nevertheless caused some sites to break so the team have decided to address this in a fast follow 6.9.3 release. Users using affected themes should update to 6.9.3 to restore the front end of their site to an operational state.

As a reminder, the earlier 6.9.2 version was a security release, and only the most recent version of WordPress is actively supported.

v6.9.2: Version 6.9.2

Compare Source

Sourced from WordPress.org Documentation.

Summary

Security updates

This release features several security fixes. Because this is a security release, it is recommended that you update your sites immediately.

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release:

• A Blind SSRF issue reported by sibwtf, and subsequently by several other researchers while the fix was being worked on
• A PoP-chain weakness in the HTML API and Block Registry reported by Phat RiO
• A regex DoS weakness in numeric character references reported by Dennis Snell of the WordPress Security Team
• A stored XSS in nav menus reported by Phill Savage
• An AJAX query-attachments authorization bypass reported by Vitaly Simonovich
• A stored XSS via the data-wp-bind directive reported by kaminuma
• An XSS that allows overridding client-side templates in the admin area reported by Asaf Mozes
• A PclZip path traversal issue reported independently by Francesco Carlucci and kaminuma
• An authorization bypass on the Notes feature reported by kaminuma
• An XXE in the external getID3 library reported by Youssef Achtatal

The WordPress security team have worked with the maintainer of the external getID3 library, James Heinrich, to coordinate a fix to getID3. A new version of getID3 is available here.
As a courtesy, these fixes are being backported, where necessary, to all branches eligible to receive security fixes (currently through 4.7). As a reminder, only the most recent version of WordPress is actively supported.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.