Cancel

Jeff Chandler

WordPress 3.9.2 Fixes Security Vulnerabilities, Users Strongly Encouraged To Update

WordPress users are strongly encouraged to update their sites to 3.9.2 as it’s a security focused release. According to the announcement, 3.9.2 fixes a possible denial of service issue in PHP’s XML processing. The bug was first reported by Nir Goldshlager of the Salesforce.com Product Security Team and was fixed by Michael Adams and Andrew Nacin of the WordPress security team. The release was also coordinated with the Drupal security team.

18.8% Of WordPress Sites Are Running On Version 3.5
18.8% Of WordPress Sites Are Running On Version 3.5

Since the vulnerability is present in WordPress 3.5 to 3.9.1, there are several sites that need to be manually updated in order to be protected. Automatic updates for security releases was introduced in WordPress 3.7, leaving users of 3.6 and 3.5 especially vulnerable. According to stats on WordPress.org, 26.8% of all WordPress sites will not be auto updated. Among those sites, 18.8% are still using WordPress 3.5.

WordPress 3.9.2 has a few other security updates as well:

  • Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
  • Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.
  • Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
  • Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.

You can update to 3.9.2 immediately by browsing to Dashboard > Updates in the backend of WordPress. Sites that have automatic updates configured will be updated within 12 hours. Sites using WordPress 3.8.3 or 3.7.3 will be updated to 3.8.4 or 3.7.4. Older versions of WordPress are not supported, so please update to 3.9.2 for the latest and greatest.

It’s awesome to see the security teams from both WordPress and Drupal working together to keep users safe.

Category:
Tags: , ,
25

25 responses to “WordPress 3.9.2 Fixes Security Vulnerabilities, Users Strongly Encouraged To Update”

  4. Why is 3.8.3 being updated to 3.8.4 and not 3.9.2?
    Why is 3.7.3 being updated to 3.7.4 and not 3.9.2?

    If it’s such an important update, why within TWELVE hours?

    I always wondered, is there a slow on the servers right about now since A LOT of sites are updating manually/automatically?

    Imagine if EVERY WordPress site updated this very instant. Could their servers handle the update?

    Create forum topic from comment

    • When we added automatic background updates in 3.7 we turned it on by default for minor and security releases only. With this we added the ability to do in-branch updates, which means we can still keep outdated installs (those on 3.7.x or 3.8.x) secure. It’s worth it, even though it means extra packages.

      Yes, updates produce a lot of extra load on WordPress.org, but we can handle it fine. While installs by default check every 12 hours, we do have the ability to temporarily instruct sites to check more frequently. We just haven’t used it yet. We’ve been making numerous hardware and infrastructure upgrades to enable us to shrink the window from 12 hours to an hour or less. This was the first release with new 10 GBit NIC cards on the load balancers, for example. With each release we learn where we need to make adjustments in the future. I suspect we’ll be able to try a much shorter window with the next release, whenever that may be.

      Create forum topic from comment

  5. Email Notifications: J. Duncan writes that he would like to get an email for updates for every site … I have the WordFence plugin installed on all the sites I manage with email notifications turned on, so I get an email every time a plugin, theme or WordPress needs updating. If I miss the email, i check my ManageWP dashboard every morning and (most of time) do the upgrades from there. Saves a lot of time.

    Create forum topic from comment

  8. oh my God, you are awesome. Thank you. I can’t access the site at all at the moment, but the problem is intermittent. As soon as I can access it again I will give it a go. Thank you, thank you!

    Create forum topic from comment

    • If you look through the panel, there is a section where you can turn off the plugins one by one (or a bunch at a time)…it’s called globally disabling them. There is also an option to do this on a page by page basis which is very helpful if you have a certain page that is having issues and it’s due to two plugins having a conflict. This is just one idea. You could have theme issues as well. If this is the case, activating the default WordPress theme will typically tell you this. You have to be careful doing this as the Widgets you have setup can disappear. So if you have configuration intensive widgets, you will want to note all the settings or drag them to the inactive widgets section so you can put them back later. The reason I always try Plugin Organizer is similar to the issue with widget settings, some plugins clear settings when fully deactivated. It sounds like you were able to get to the back end if you could install that plugin?

      Create forum topic from comment

You may also like

Newsletter

Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.