diff --git a/wp-includes/functions.php b/wp-includes/functions.php
index bad987c9f1..342dd0e157 100644
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@@ -680,6 +680,10 @@ function _http_build_query( $data, $prefix = null, $sep = null, $key = '', $urle
  * value. Additional values provided are expected to be encoded appropriately
  * with urlencode() or rawurlencode().
  *
+ * Important: The return value of add_query_arg() is not escaped by default.
+ * Output should be late-escaped with esc_url() or similar to help prevent
+ * vulnerability to cross-site scripting (XSS) attacks.
+ *
  * @since 1.5.0
  *
  * @param string|array $param1 Either newkey or an associative_array.
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 83cf61b566..77dc1732ae 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.4-alpha-34263';
+$wp_version = '4.4-alpha-34264';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.