An important security update was released for WordPress Core this week when version 3.9.2 was made available to patch a possible denial of service issue in PHP’s XML processing.
In addition, several other vulnerabilities were patched including:
- Fixes a possible but unlikely code execution when processing widgets.
- Prevents information disclosure via XML entity attacks in the external GetID3 library.
- Adds protections against brute attacks against CSRF tokens.
- Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.
All ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have been updated to this new release — there is nothing you need to do at this point.
All other WordPress users should update their installations as soon as possible.
For more information: https://wordpress.org/news/2014/08/wordpress-3-9-2/
The Gmedia Gallery plugin version 1.2.1 contains a serious shell upload vulnerability.
NO ESC! Technologies Group clients have been affected by this vulnerability, however anyone else using the Gmedia Gallery plugin should upgrade immediately.