- Lester Chan's WordPress Plugins - https://lesterchan.net/wordpress -

WordPress 3.9.2

WordPress 3.9.2 [1] has been released and it is a security release and hence it is recommended that you update your site immediately.

This release fixes a possible denial of service issue in PHP’s XML processing, reported by Nir Goldshlager [2] of the Salesforce.com Product Security Team. It  was fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team [3]. This is the first time our two projects have coordinated on joint security releases.

WordPress 3.9.2 also contains other security changes:

  • Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha [4] of the WordPress security team.
  • Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov [5] of ONSec.
  • Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik [6] of the Google Security Team.
  • Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.

We appreciated responsible disclosure of these issues directly to our security team. For more information, see the release notes [7] or consult the list of changes [8].

Download WordPress 3.9.2 [9] now or go to Dashboard -> Updates and click “Update Now”.