For those of you who haven't updated to WP 3.6.1 yet

I know a lot of people have issues with WordPress upgrades. There is no way to stage an update without cloning the site so it's a plug & pray operation. Once the site breaks, you go into a panic trying to fix it before a client notices. It doesn't happen often but it's happened once and that was enough - so you just avoid updates for the first two weeks.

WordPress 3.6.1 isn't introducing any major new features. When you see these little third-digit incremental updates, they are actually really critical because they are security releases.

This is what version 3.6.1 fixes:
http://vagosec.org/2013/09/wordpress-php-object-injection/

Go update. Security releases are the least likely to break your site because they don't actually replace major features with new code. In case you were wondering, fingerprinting a site is easy. No matter what you do, wp-scan can still figure out what version of WordPress you are using. Deleting things like the generator tag and readme.html make it harder but they aren't even a minor inconvenience if I'm out to get you.

This is a sample output of a very basic site scan - and on a fairly well secured site too. I advised the client on several items, like replacing user IDs 1-10 with a random 7 digit string and blocking user ID enumaration.

As you can see, in this case 3.6 was fingerprinted from the RSS generator, even though the client followed the web's advice about deleting readme.html and removing the generator tag in the source. Even had the RSS been removed as well, the scan would have checked the site's features and fingerprinted the version a few seconds later.

_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __
          \ \/  \/ / |  ___/ \___ \ / __|/ _  | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__ _|_| |_|

        WordPress Security Scanner by the WPScan Team
                    Version v2.1r2cbb48f
     Sponsored by the RandomStorm Open Source Initiative
 @_WPScan_, @ethicalhack3r, @erwan_lr, @gbrindisi, @_FireFart_
_______________________________________________________________

| URL: http://www.redacted.com/
| Started on Fri Sep 13 22:25:53 2013

[+] robots.txt available under 'http://www.redacted.com/robots.txt'
[!] The WordPress 'http://www.redacted.com/readme.html' file exists
[!] Full Path Disclosure (FPD) in 'http://www.redacted.com/wp-includes/rss-functions.php'
[+] Interesting header: SERVER: Apache
[+] XML-RPC Interface available under http://www.redacted.com/xmlrpc.php
[+] WordPress version 3.6 identified from rss generator

[!] We have identified 1 vulnerabilities from the version number :
 |
 | * Title: PHP Object Injection
 | * Reference: http://vagosec.org/2013/09/wordpress-php-object-injection/
 | * Reference: http://www.openwall.com/lists/oss-security/2013/09/12/1
 | * Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4340
 | * Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4340

[+] The WordPress theme in use is breeze v2.6

 | Name: breeze v2.6
 | Location: http://www.redacted.com/wp-content/themes/breeze/

[+] Enumerating installed plugins (only vulnerable ones) ...

   Time: 00:06:05 <=====================================> (527 / 527) 100.00% Time: 00:06:05

[+] We found 1 plugins:

 | Name: backwpup v3.0.12
 | Location: http://www.redacted.com/wp-content/plugins/backwpup/
 | Readme: http://www.redacted.com/wp-content/plugins/backwpup/readme.txt
 |
 | * Title: BackWPUp 2.1.4 Code Execution
 | * Reference: http://www.exploit-db.com/exploits/17987/
 |
 | * Title: plugin BackWPup 1.5.2, 1.6.1, 1.7.1 Remote and Local Code Execution Vulnerability
 | * Reference: http://osvdb.org/71481
 |
 | * Title: BackWPup wp-admin/admin.php tab Parameter XSS
 | * Reference: https://www.htbridge.com/advisory/HTB23161
 | * Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4626
 | * Reference: http://secunia.com/advisories/54515
 | * Reference: http://osvdb.org/96505

[+] Enumerating installed themes (only vulnerable ones) ...

   Time: 00:01:42 <=====================================> (167 / 167) 100.00% Time: 00:01:42

No themes found :(

[+] Enumerating timthumb files ...

   Time: 00:25:17 <===================================> (2417 / 2417) 100.00% Time: 00:25:17

No timthumb files found :(

[+] Enumerating usernames ...
[+] We found the following 6 user/s :
    +----+------------+------------------------+
    | Id | Login      | Name                   |
    +----+------------+------------------------+
    | 1  | redacted   | Posts by Redacted      |
    | 3  | redacted   | Posts by Redacted      |
    | 4  | redacted   | Posts by Redacted      |
    | 6  | redacted   | Posts by Redacted      |
    | 7  | redacted   | Posts by Redacted      |
    | 8  | redacted   | Posts by Redacted      |
    +----+------------+------------------------+

[+] Finished at Fri Sep 13 22:59:32 2013
[+] Elapsed time: 00:33:39
Exiting!

Go update your sites. Stay safe out there.