WordPress 3.7 < 3.7.5 / 3.8 < 3.8.5 / 3.9 < 3.9.3 / 4.x < 4.0.1 Multiple Vulnerabilities

Versions of WordPress 3.7 prior to 3.7.5, 3.8.x prior to 3.8.5, 3.9.x prior to 3.9.3, and 4.x prior to 4.0.1 are susceptible to the following vulnerabilities :

• Three cross-site scripting issues that a contributor or author could use to compromise a site. (CVE-2014-9032, CVE-2014-9035, CVE-2014-9036)

• A cross-site request forgery that could be used to trick a user into changing their password.(CVE-2014-9039)

• An issue that could lead to a denial of service when passwords are checked. (CVE-2014-9034)

• Additional protections for server-side request forgery attacks when WordPress makes HTTP requests. (CVE-2014-9033)

• An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008. (CVE-2014-9037)

• WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address. (CVE-2014-9039)

• WordPress versions 3.9.2 and earlier are affected by a cross-site scripting vulnerability which could enable an anonymous user to compromise the site. (CVE-2014-9031)