On April 21, 2015, WordPress 3.9.4 was released to the public. This is a security update for all previous WordPress versions.
To download WordPress 3.9.4, update automatically from the Dashboard > Updates menu in your site's admin area or visit https://wordpress.org/download/release-archive/.
For step-by-step instructions on installing and updating WordPress:
If you are new to WordPress, we recommend that you begin with the following:
- New To WordPress - Where to Start
- First Steps With WordPress or Upgrading WordPress Extended
- WordPress Lessons
From the announcement post:
- A serious critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.
- Files with invalid or unsafe names could be upload.
- Some plugins are vulnerable to an SQL injection attack.
- A very limited cross-site scripting vulnerability could be used as part of a social engineering attack.
- Four hardening changes, including better validation of post titles within the Dashboard.
List of Files Revised
license.txt readme.html wp-admin/includes/class-wp-comments-list-table.php wp-admin/includes/dashboard.php wp-admin/includes/post.php wp-admin/includes/template.php wp-admin/js/nav-menu.js wp-includes/capabilities.php wp-includes/class-wp-editor.php wp-includes/formatting.php wp-includes/js/plupload/plupload.flash.swf wp-includes/version.php wp-includes/wp-db.php