A vulnerability has been discovered in the MailPoet plugin for the Wordpress content management system. This vulnerability can be exploited to inject malware into a vulnerable site, allowing attackers to upload any file to the server and thus installing a backdoor to the website. Any customers making use of Wordpress are advised to check for the presence of MailPoet, and if installed, upgrade to version 2.6.7 or higher. It is also recommended to run a code and log audit in order to check for suspect content.
Due to Engine Yard's use of individual customer instances, no customers' applications are at risk through the exploitation of another customer's vulnerabilities, but other PHP applications (such as Magento) installed alongside a vulnerable Wordpress installation on the same instance may be at risk of code injection and should also be checked.
For further information please see:
In addition to this, a new version of WordPress was released recently that contains various security changes, including:
Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default)
Prevents information disclosure via XML entity attacks in the external GetID3 library
Adds protections against brute attacks against CSRF tokens
Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.
We always recommend running the most recent version of WordPress and you can find out more about version 3.9.2 at: http://wordpress.org/news/2014/08/wordpress-3-9-2/