WordPress 3.9.2 is currently readily available as a protection launch for all previous variations. We highly motivate you to upgrade your websites right away.
This launch solutions a feasible rejection of solution problem in PHP’s XML handling, reported by Nir Goldshlager of the Salesforce.com Item Protection Group. It was taken care of by Michael Adams and also Andrew Nacin of the WordPress protection group and also David Rothstein of theDrupal security team This is the very first time our 2 tasks have actually collaborated joint protection launches.
WordPress 3.9.2 additionally includes various other protection adjustments:
- Deals with a feasible however not likely code implementation when refining widgets (WordPress is not impacted by default), found by Alex Concha of the WordPress protection group.
- Avoids info disclosure through XML entity strikes in the outside GetID3 collection, reported by Ivan Novikov of ONSec.
- Includes securities versus brute strikes versus CSRF symbols, reported by David Tomaschik of the Google Protection Group.
- Consists of some added protection solidifying, like stopping cross-site scripting that can be set off just by managers.
Download WordPress 3.9.2 or endeavor over to Control Panel → Updates and also just click “Update Now”.
Websites that sustain automated history updates will certainly be upgraded to WordPress 3.9.2 within 12 hrs. (If you are still on WordPress 3.8.3 or 3.7.3, you will certainly additionally be upgraded to 3.8.4 or 3.7.4. We do not sustain older variations, so please upgrade to 3.9.2 for the current and also best.)
Currently evaluating WordPress 4.0? The 3rd beta is now available (zip) and also it includes these protection solutions.