The latest version of WordPress is now available to download and install. It’s an important security release which solves some important security issues, along with fixing a number of bugs.
The security list is:
- Potential authentication cookie forgery. CVE-2014-0166.
- Privilege escalation: prevent contributors from publishing posts. CVE-2014-0165.
- (Hardening) Pass along additional information when processing pingbacks to help hosts identify potentially abusive requests.
- (Hardening) Fix a low-impact SQL injection by trusted users.
- (Hardening) Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files.
There’s more information available in the WordPress Codex. If you’re already allowing automatic updates, the release will apparently install throughout the next 12 hours, or you can update manually now. As always, before any significant WordPress or plugin update, it’s always best to back up your site.