WordPress 4.0.1 has just been released and with it the announcement that multiple critical vulnerabilities have been discovered and fixed in several versions of WordPress Core including the current version 4.0.
We strongly recommend that you immediately upgrade to WordPress 4.0.1. The researchers have not released technical details or exploits, but the knowledge that these exist is enough to create a significant risk that exploits will appear in the wild shortly.
WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.
WordPress 4.0 is affected by the following vulnerabilities which have been fixed in 4.0.1:
- Three cross-site scripting issues that a contributor or author could use to compromise a site.
- A cross-site request forgery that could be used to trick a user into changing their password.
- An issue that could lead to a denial of service when passwords are checked.
- Additional protections for server-side request forgery attacks when WordPress makes HTTP requests.
- An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008.
- WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address.
- Version 4.0.1 also fixes 23 bugs with 4.0, and makes two hardening changes, including better validation of EXIF data extracted from uploaded photos.
Reduce the risk of your WordPress site being hacked when you stay up-to-date on the latest WordPress security threats. TiTANIUM Web Consulting offer WordPress security packages to keep your site safe & secure. We also make sure your site is secure, backed up weekly plus remove spam comments and optimise the database plus more. Contact us today to enquire about a maintenance package for your site.