diff -r 7b1b88e27a20 -r 48c4eec2b7e6 wp/wp-includes/blocks/widget-group.php
--- a/wp/wp-includes/blocks/widget-group.php	Thu Sep 29 08:06:27 2022 +0200
+++ b/wp/wp-includes/blocks/widget-group.php	Fri Sep 05 18:40:08 2025 +0200
@@ -8,6 +8,11 @@
 /**
  * Renders the 'core/widget-group' block.
  *
+ * @since 5.9.0
+ *
+ * @global array      $wp_registered_sidebars
+ * @global int|string $_sidebar_being_rendered
+ *
  * @param array    $attributes The block attributes.
  * @param string   $content The block content.
  * @param WP_Block $block The block.
@@ -28,7 +33,7 @@
 	$html = '';
 
 	if ( ! empty( $attributes['title'] ) ) {
-		$html .= $before_title . $attributes['title'] . $after_title;
+		$html .= $before_title . esc_html( $attributes['title'] ) . $after_title;
 	}
 
 	$html .= '<div class="wp-widget-group__inner-blocks">';
@@ -42,6 +47,8 @@
 
 /**
  * Registers the 'core/widget-group' block.
+ *
+ * @since 5.9.0
  */
 function register_block_core_widget_group() {
 	register_block_type_from_metadata(
@@ -59,6 +66,10 @@
  * it. This lets us get to the current sidebar in
  * render_block_core_widget_group().
  *
+ * @since 5.9.0
+ *
+ * @global int|string $_sidebar_being_rendered
+ *
  * @param int|string $index       Index, name, or ID of the dynamic sidebar.
  */
 function note_sidebar_being_rendered( $index ) {
@@ -70,6 +81,10 @@
 /**
  * Clear whatever we set in note_sidebar_being_rendered() after WordPress
  * finishes rendering a sidebar.
+ *
+ * @since 5.9.0
+ *
+ * @global int|string $_sidebar_being_rendered
  */
 function discard_sidebar_being_rendered() {
 	global $_sidebar_being_rendered;