WordPress 3.9.2 [1] has been released and it is a security release and hence it is recommended that you update your site immediately.
This release fixes a possible denial of service issue in PHP’s XML processing, reported by Nir Goldshlager [2] of the Salesforce.com Product Security Team. It was fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team [3]. This is the first time our two projects have coordinated on joint security releases.
WordPress 3.9.2 also contains other security changes:
- Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha [4] of the WordPress security team.
- Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov [5] of ONSec.
- Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik [6] of the Google Security Team.
- Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.
We appreciated responsible disclosure of these issues directly to our security team. For more information, see the release notes [7] or consult the list of changes [8].
Download WordPress 3.9.2 [9] now or go to Dashboard -> Updates and click “Update Now”.