WordPress Release: 3.9.2

TL;DR

WordPress 3.9.2 is a security release that addresses several important vulnerabilities. This update focuses on strengthening WordPress core against potential security exploits, including improvements to nonce verification, XML handling, and password reset functionality. The release contains no new features but includes critical security fixes that all WordPress site owners should implement immediately.

Highlight of the Release

• Implementation of constant-time comparison for nonce verification to prevent timing attacks
• Enhanced security for password reset functionality
• Improved XML entity handling in XML-RPC requests and ID3 tag processing
• Better security in the WordPress Customizer widgets
• Improved avatar handling with proper escaping

Migration Guide

No specific migration steps are required for this security update. Simply update your WordPress installation to version 3.9.2 through your admin dashboard or via manual update.

If you're a developer who has implemented custom code that interacts with nonces, password resets, XML processing, or the WordPress Customizer, you may want to review your code to ensure it aligns with the security improvements in this release.

The update is backward compatible and should not break existing functionality.

Upgrade Recommendations

Immediate Upgrade Recommended

This is a security release that addresses several important vulnerabilities in WordPress core. All WordPress site owners should update to version 3.9.2 immediately.

The security fixes in this release protect against potential timing attacks, XML external entity (XXE) attacks, and other security vulnerabilities that could be exploited by malicious actors.

You can update through your WordPress dashboard or download the update directly from WordPress.org. As always, it's recommended to back up your site before performing any update.

Bug Fixes

Security Bug Fixes

• Fixed potential timing attack vulnerability in wp_verify_nonce() by implementing constant-time comparison
• Added proper escaping in get_avatar() function to prevent potential XSS vulnerabilities
• Fixed security issues with password reset functionality by improving how reset keys are handled
• Added delimiters when building nonce hashes for improved security
• Improved MAC verification in WordPress Customizer widgets
• Fixed XML entity handling in ID3 tag processing to prevent XML external entity (XXE) attacks
• Enhanced security of XML-RPC requests by ignoring potentially malicious entities

New Features

No new features were added in this security maintenance release. WordPress 3.9.2 focuses exclusively on security improvements and bug fixes to protect WordPress installations from potential vulnerabilities.

Security Updates

Critical Security Fixes

• Timing Attack Protection: Implemented constant-time comparison for nonce verification to prevent timing attacks that could potentially reveal valid nonces
• XML External Entity (XXE) Prevention: Disabled external entities in ID3 tag processing and XML-RPC requests to prevent XXE attacks that could lead to server-side request forgery or information disclosure
• Password Reset Security: Improved handling of password reset keys to prevent potential security issues
• XSS Prevention: Enhanced escaping in the get_avatar() function to prevent cross-site scripting vulnerabilities
• Customizer Security: Added earlier verification of MAC (Message Authentication Code) in WordPress Customizer widgets to prevent potential security issues
• Nonce Security: Improved nonce hash building by using proper delimiters for enhanced protection

Performance Improvements

Performance and Security Improvements

• Implemented constant-time comparison for nonce verification through the new hash_equals() function, which helps prevent timing attacks while maintaining performance
• Added a second copy of hash_equals() to pluggable.php to ensure availability during updates without cross-file dependencies
• Improved security verification processes that maintain performance while adding protection against potential exploits

Impact Summary

WordPress 3.9.2 is a security-focused maintenance release that addresses several important vulnerabilities without adding new features or changing existing functionality. The update strengthens WordPress core against potential security exploits including timing attacks on nonce verification, XML external entity (XXE) attacks, and issues with password reset functionality.

The security improvements are implemented in a way that maintains backward compatibility while enhancing protection for all WordPress sites. This release demonstrates WordPress's commitment to security and protecting the millions of websites powered by the platform.

Site administrators should update immediately to protect their websites from these potential security vulnerabilities. The update process is straightforward and should not impact existing site functionality.