wp-includes/pluggable.php rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, that allows the attackers to bypass a CSRF protection mechanism via a brute-force attack.
Related records:
http://db.threatpress.com/vulnerability/wordpress/wordpress-3-9-1-multiple-vulnerabilities
Update WordPress.