WordPress 3.9.2 Fixes Security Vulnerabilities, Users Strongly Encouraged To Update

WordPress users are strongly encouraged to update their sites to 3.9.2 as it’s a security focused release. According to the announcement, 3.9.2 fixes a possible denial of service issue in PHP’s XML processing. The bug was first reported by Nir Goldshlager of the Salesforce.com Product Security Team and was fixed by Michael Adams and Andrew Nacin of the WordPress security team. The release was also coordinated with the Drupal security team.

18.8% Of WordPress Sites Are Running On Version 3.5
18.8% Of WordPress Sites Are Running On Version 3.5

Since the vulnerability is present in WordPress 3.5 to 3.9.1, there are several sites that need to be manually updated in order to be protected. Automatic updates for security releases was introduced in WordPress 3.7, leaving users of 3.6 and 3.5 especially vulnerable. According to stats on WordPress.org, 26.8% of all WordPress sites will not be auto updated. Among those sites, 18.8% are still using WordPress 3.5.

WordPress 3.9.2 has a few other security updates as well:

  • Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
  • Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.
  • Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
  • Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.

You can update to 3.9.2 immediately by browsing to Dashboard > Updates in the backend of WordPress. Sites that have automatic updates configured will be updated within 12 hours. Sites using WordPress 3.8.3 or 3.7.3 will be updated to 3.8.4 or 3.7.4. Older versions of WordPress are not supported, so please update to 3.9.2 for the latest and greatest.

It’s awesome to see the security teams from both WordPress and Drupal working together to keep users safe.


25 responses to “WordPress 3.9.2 Fixes Security Vulnerabilities, Users Strongly Encouraged To Update”

    • There is a plugin I installed on a former client that is supposed to e-mail the admin address whenever there is an update. I can’t remember if WP Core, themes or plugins.

      Since that client is a former client (let me go a week after the plugin was installed). I have no idea how that plugin works.

      When I get up to my laptop every morning, I log in on all the sites I manage (client and my own) and check for updates.

    • I got emails on 3 sites running outdated versions that I helped people on that I’m no longer working on. No extra plugins.

  1. Why is 3.8.3 being updated to 3.8.4 and not 3.9.2?
    Why is 3.7.3 being updated to 3.7.4 and not 3.9.2?

    If it’s such an important update, why within TWELVE hours?

    I always wondered, is there a slow on the servers right about now since A LOT of sites are updating manually/automatically?

    Imagine if EVERY WordPress site updated this very instant. Could their servers handle the update?

    • When we added automatic background updates in 3.7 we turned it on by default for minor and security releases only. With this we added the ability to do in-branch updates, which means we can still keep outdated installs (those on 3.7.x or 3.8.x) secure. It’s worth it, even though it means extra packages.

      Yes, updates produce a lot of extra load on WordPress.org, but we can handle it fine. While installs by default check every 12 hours, we do have the ability to temporarily instruct sites to check more frequently. We just haven’t used it yet. We’ve been making numerous hardware and infrastructure upgrades to enable us to shrink the window from 12 hours to an hour or less. This was the first release with new 10 GBit NIC cards on the load balancers, for example. With each release we learn where we need to make adjustments in the future. I suspect we’ll be able to try a much shorter window with the next release, whenever that may be.

  2. Email Notifications: J. Duncan writes that he would like to get an email for updates for every site … I have the WordFence plugin installed on all the sites I manage with email notifications turned on, so I get an email every time a plugin, theme or WordPress needs updating. If I miss the email, i check my ManageWP dashboard every morning and (most of time) do the upgrades from there. Saves a lot of time.

  3. Could this be the reason my site has been up and down over the last few days?

    • It is very unlikely. The pushes that are happening are security in nature. As far as I know, the pushes were today, so likely, you have a plugin that is not playing friendly (old code that that is causing a quirk)

    • Before you deactivate all plugins, try going to your panel and Add Plugin and put in “Plugin Organizer” and you can experiment from there…can you get to your admin panel?

  4. oh my God, you are awesome. Thank you. I can’t access the site at all at the moment, but the problem is intermittent. As soon as I can access it again I will give it a go. Thank you, thank you!

    • I am very busy through tomorrow, but I’ll help you if you hit me up in the evening, don’t stop trying or learning. It’s a fun endeavor that will pay you back. If you need help, we’re all here for you.

    • Pacific…I will give you 2 hours, Jeffro is always there for me. It’s probably something dumb…we’ll take care of you. Hopefully you haven’t totally borked the site, I doubt it.

  5. Thank you. I still can’t get into the back end, but I’m sure it will come back soon. It’s been off and on for days. My readers are getting a little antsy :/

  6. I am glad it updates itself I had 3.9.1 and it notified me on my email about security breach and updated itself.

  7. I’ve installed the plugin organizer, but can’t see how to use it. No settings come up.

    • If you look through the panel, there is a section where you can turn off the plugins one by one (or a bunch at a time)…it’s called globally disabling them. There is also an option to do this on a page by page basis which is very helpful if you have a certain page that is having issues and it’s due to two plugins having a conflict. This is just one idea. You could have theme issues as well. If this is the case, activating the default WordPress theme will typically tell you this. You have to be careful doing this as the Widgets you have setup can disappear. So if you have configuration intensive widgets, you will want to note all the settings or drag them to the inactive widgets section so you can put them back later. The reason I always try Plugin Organizer is similar to the issue with widget settings, some plugins clear settings when fully deactivated. It sounds like you were able to get to the back end if you could install that plugin?

  8. I didn’t know WordPress installs in the wild were so fragmented. That’s depressing.

    I take it those stats are for 3.x only. Are there any figures for 1.x, 2.x and 4.x?


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: