WordPress 4.0.1 is a ‘critical security release’ that addresses multiple vulnerabilities

The WordPress Security Team recently released an update to address multiple vulnerabilities in the WordPress core platform.
WordPress version 4.0.1 is a security release only. There are no new features in this update. According to the official release, the WordPress Security Team ranks this as a “critical security release for all previous versions” of the WordPress platform and they “strongly encourage you to update your sites immediately.”
This update fixes multiple vulnerabilities discovered in the WordPress core platform; however, the most serious of these is a cross-site scripting vulnerability found in versions 3.9.2 and earlier that “could enable anonymous users to compromise a site.”
In a breakdown for Threatpost, security writer Michael Mimoso explains that “an attacker would need only to inject malicious JavaScript into a comment that would infect a reader viewing it on the webpage or an admin in the management dashboard.”
Additional vulnerabilities fixed in 4.0.1 include:
  • Three cross-site scripting issues that a contributor or author could use to compromise a site.
  • A cross-site request forgery that could be used to trick a user into changing their password.
  • An issue that could lead to a denial of service when passwords are checked.
  • Additional protections for server-side request forgery attacks when WordPress makes HTTP requests.
  • An extremely unlikely hash collision could allow a user’s account to be compromised, which also required that they haven’t logged in since 2008.
  • WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address.
The update also fixes 23 bugs found in WordPress 4.0, as well as some hardening and validation changes.
For more information on WordPress 4.0.1, you can read the official release announcement here. If you’d like a deep dive into the details on the update, you can consult the release notes here, or the documented list of changes to the WordPress core here.
As always, if you have any questions about setting up your own site’s updates, don’t hesitate to call a member of our support team. And if you’d prefer to let us completely handle your site upgrade, we’ll be happy to help.
Works Cited / For Further Reading:
WordPress 4.0.1 update patches critical XSS vulnerability. (Threatpost)
WordPress 4.0.1 updates millions of sites for 8 flaws. (eWeek)
WordPress 4.0.1 security release announcement. (WordPress.org)
WordPress 4.0.1 critical security release notes. (WordPress.org Codex)
List of changes to WordPress core for 4.0.1. (WordPress.org)