WordPress users are strongly encouraged to update their sites to 3.9.2 as it’s a security focused release. According to the announcement, 3.9.2 fixes a possible denial of service issue in PHP’s XML processing. The bug was first reported by Nir Goldshlager of the Salesforce.com Product Security Team and was fixed by Michael Adams and Andrew Nacin of the WordPress security team. The release was also coordinated with the Drupal security team.
Since the vulnerability is present in WordPress 3.5 to 3.9.1, there are several sites that need to be manually updated in order to be protected. Automatic updates for security releases was introduced in WordPress 3.7, leaving users of 3.6 and 3.5 especially vulnerable. According to stats on WordPress.org, 26.8% of all WordPress sites will not be auto updated. Among those sites, 18.8% are still using WordPress 3.5.
WordPress 3.9.2 has a few other security updates as well:
- Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
- Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.
- Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
- Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.
You can update to 3.9.2 immediately by browsing to Dashboard > Updates in the backend of WordPress. Sites that have automatic updates configured will be updated within 12 hours. Sites using WordPress 3.8.3 or 3.7.3 will be updated to 3.8.4 or 3.7.4. Older versions of WordPress are not supported, so please update to 3.9.2 for the latest and greatest.
It’s awesome to see the security teams from both WordPress and Drupal working together to keep users safe.