WordPress has just released version 4.0.1, which is a small update that helps to resolve some potentially nasty security holes and everyone is encouraged to update their sites immediately.
Among the fixes:
- Three cross-site scripting issues that a contributor or author could use to compromise a site.
- A cross-site request forgery that could be used to trick a user into changing their password.
- An issue that could lead to a denial of service when passwords are checked.
- Additional protections for server-side request forgery attacks when WordPress makes HTTP requests.
- An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008.
- WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address.
If you’re already on version 4.0, the update should happen automatically. If you have GreenMellen monitoring your sites, we’ll verify that the update occurred as it should (or update manually) and that things are running smoothly.
If you’re on an older version or with a host that doesn’t support automatic WordPress updates, you’ll want to go in and update yours manually (after you back it up!) as soon as possible.
You can read more about this on the official WordPress blog.