This evening WordPress 4.0.1 Security Release was issued.
NurtureWP clients have been updated and informed.
WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.
- Three cross-site scripting issues that a contributor or author could use to compromise a site
- A cross-site request forgery that could be used to trick a user into changing their password.
- An issue that could lead to a denial of service when passwords are checked.
- Additional protections for server-side request forgery attacks when WordPress makes HTTP requests.
- An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008
- WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address.
This new version also fixes 23 bugs with the previous major version 4.0.