diff --git a/wp-includes/functions.php b/wp-includes/functions.php
index d2304f4d55..be03264455 100644
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@@ -3613,7 +3613,7 @@ function wp_nonce_ays( $action ) {
 
 		if ( wp_get_referer() ) {
 			$wp_http_referer = remove_query_arg( 'updated', wp_get_referer() );
-			$wp_http_referer = wp_validate_redirect( esc_url_raw( $wp_http_referer ) );
+			$wp_http_referer = wp_validate_redirect( sanitize_url( $wp_http_referer ) );
 
 			$html .= '</p><p>';
 			$html .= sprintf(
diff --git a/wp-includes/update.php b/wp-includes/update.php
index 7c4e31feef..c5349832ac 100644
--- a/wp-includes/update.php
+++ b/wp-includes/update.php
@@ -754,7 +754,7 @@ function wp_update_themes( $extra_stats = array() ) {
 			continue;
 		}
 
-		$hostname = wp_parse_url( esc_url_raw( $theme_data['UpdateURI'] ), PHP_URL_HOST );
+		$hostname = wp_parse_url( sanitize_url( $theme_data['UpdateURI'] ), PHP_URL_HOST );
 
 		/**
 		 * Filters the update response for a given theme hostname.
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 460549500d..9fd2f229e0 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.4-alpha-56493';
+$wp_version = '6.4-alpha-56494';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.