On April 8, 2014 WordPress released a security update to version 3.8.2. The announcement that accompanied the release states “this is an important security release for all previous versions and we strongly encourage you to update your sites immediately.”
WP 3.8.2 addresses two potentially serious security vulnerabilities, includes three security hardening changes, and addresses nine “other bugs.” Most notably the following security issues are addressed:
- Potential authentication cookie forgery. CVE-2014-0166. (Very serious vulnerability!)
Privilege escalation: prevent contributors from publishing posts. CVE-2014-0165.
Pass along additional information when processing pingbacks to help hosts identify potentially abusive requests.
Fix a low-impact SQL injection by trusted users.
Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files.
Additionally: JetPack – the wordpress.com feature-rich plugin suite – was updated to version 2.9.3 to address similar issues.
If your site is currently operating a WordPress version below 3.8.2 or Jetpack version below 2.9.3, you may be at risk and should consider upgrading as soon as possible.