Versions of WordPress 3.7 prior to 3.7.5, 3.8.x prior to 3.8.5, 3.9.x prior to 3.9.3, and 4.x prior to 4.0.1 are susceptible to the following vulnerabilities :
Three cross-site scripting issues that a contributor or author could use to compromise a site. (CVE-2014-9032, CVE-2014-9035, CVE-2014-9036)
A cross-site request forgery that could be used to trick a user into changing their password.(CVE-2014-9039)
An issue that could lead to a denial of service when passwords are checked. (CVE-2014-9034)
Additional protections for server-side request forgery attacks when WordPress makes HTTP requests. (CVE-2014-9033)
An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008. (CVE-2014-9037)
WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address. (CVE-2014-9039)
WordPress versions 3.9.2 and earlier are affected by a cross-site scripting vulnerability which could enable an anonymous user to compromise the site. (CVE-2014-9031)
Binary data 8584.prm
codex.wordpress.org/Version_3.7.5
codex.wordpress.org/Version_3.8.5
codex.wordpress.org/Version_3.9.3
codex.wordpress.org/Version_4.0.1
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9031
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9032
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9033
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9035
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9036
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9037
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9039
seclists.org/bugtraq/2014/Nov/113
wordpress.org/news/2014/11/wordpress-4-0-1