WordPress 4.0.1 Security Update
Today WordPress has released a security update, fixing several security holes plus 23 bugs.
- Three cross-site scripting issues that a contributor or author could use to compromise a site.
- A cross-site request forgery that could be used to trick a user into changing their password.
- An issue that could lead to a denial of service when passwords are checked.
- Additional protections for server-side request forgery attacks when WordPress makes HTTP requests.
- An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008.
- WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address.
It’s important to check your installs and install the latest update and install if required. Luckily most WordPress installs will automatically update using the built in auto-update script. Unfortunately the host I use does not support this (nor the automatic install via the dashboard), so I need to manually download the file, unzip and upload via FTP. A bit of a pain, but necessary.
For full details, view on the official website – WordPress 4.0.1
Or jump straight in – Download Latest Version of WordPress