WordPress have released a security update to their popular Blogging and Content Management System (CMS) and are encouraging all users to update their sites immediately.
This release fixes a possible denial of service issue in PHP’s XML processing, reported by Nir Goldshlager of the Salesforce.com Product Security Team.
WordPress 3.9.2 also contains other security changes:
- Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
- Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.
- Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
- Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.
All our our customers websites running WordPress have been automatically updated as part of our managed WordPress Hosting so they don’t need to do anything. Customers with other hosts should either login to their Dashboard or check with their Hosting company to see what action they need to take.
The full announcement can be found here: WordPress 3.9.2 Security Release