wp-includes/pluggable.php does not use delimiters during concatenation of action values and uid values in CSRF tokens, that allows the attackers to bypass a CSRF protection mechanism via a brute-force attack.
Related records:
http://db.threatpress.com/vulnerability/wordpress/wordpress-3-9-1-multiple-vulnerabilities-2
Update WordPress.