wordpress-logo-stacked-rgbWordPress 4.0.1 was released today to patch a critical cross-site scripting vulnerability, which could enable anonymous users to compromise your site. WordPress versions 3.9.2 and earlier are affected.

If you’ve not yet done so, you should back up your site & database and upgrade to WordPress ver. 4.0.1 immediately.

For folks not yet running version 4.0 of WordPress, versions 3.9.3, 3.8.5, and 3.7.5 have also been released and may be applied to your installation to keep your site secure, however, keep in mind those versions or WordPress are no longer supported, so you should consider upgrading to 4.0.1 as soon as possible.

Although the most critical issue does not affect version 4.0, there are additional security patches found in the release that should be applied to a WordPress 4.0 installation.

NOTE! All ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have been updated to WordPress 4.0.1. There is nothing further you need to do.

So what’s patched in WordPress 4.0.1?

Security Issues Addressed

Per the WordPress 4.0.1 changelog, in addition to the critical cross-site scripting vulnerability, this update also patches the following:

  • Three cross-site scripting issues that a contributor or author could use to compromise a site.
  • A cross-site request forgery that could be used to trick a user into changing their password.
  • An issue that could lead to a denial of service when passwords are checked.
  • Additional protections for server-side request forgery attacks when WordPress makes HTTP requests.
  • An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008.
  • WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address.

Version 4.0.1 also fixes 23 bugs with 4.0, and applies two hardening changes, including better validation of EXIF data extracted from uploaded photos.

Updating Your Site

If you’re not subscribed to one of ESC! Technologies Group’s WordPress Maintenance plans, then before upgrading from anything prior to WordPress version 4.0.0 you’ll want to be sure to:

1. Ensure compatibility with and/or Upgrade all your third party plugins
2. Ensure compatibility with your theme and framework and upgrade if necessary
3. Turn off any caching plugins you may have installed
4. Perform a full backup of your site and database
5. Upgrade
6. After the upgrade is complete, re-enable your caching plugins and test your site

If you have any questions, or would like to learn more about our maintenance plans, please Contact Us.