From ${URL}: WordPress 3.9.2 is now available as a security release for all previous versions. We strongly encourage you to update your sites immediately. This release fixes a possible denial of service issue in PHP’s XML processing, reported by Nir Goldshlager of the Salesforce.com Product Security Team. It was fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team. This is the first time our two projects have coordinated on joint security releases. WordPress 3.9.2 also contains other security changes
Maintainer(s), please drop the vulnerable version(s).
Cleanup was done. There is only 3.9.3 in 3.9.x branch
CVE-2014-5240 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5240): Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL. CVE-2014-5205 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5205): wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. CVE-2014-5204 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5204): wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. CVE-2014-5203 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5203): wp-includes/class-wp-customize-widgets.php in the widget implementation in WordPress 3.9.x before 3.9.2 might allow remote attackers to execute arbitrary code via crafted serialized data.