WordPress Issues Critical Security Update
Recently WordPress made many new changes with the update to Version 4.0. Unfortunately there were some issues that were overlooked, albeit only briefly. That is part of the good news. In fact, if you are keeping your WordPress core files updated to the newest release, then you should have received the core 4.0.1 security update automatically.
In the event that you did not get the automatic security update go update your blog now.
WordPress states in their own announcement that:
“Version 4.0.1 also fixes 23 bugs with 4.0, and we’ve made two hardening changes”
The recent update to 4.0.1 fixes these changes and addresses the items listed below:
- Multiple cross-site scripting issues that user with contributor or author privileges could use to compromise a site.
- A cross-site request forgery that could be used to trick a user into changing their password.
- An potential denial of service issue when passwords are checked.
- Additional protections for server-side request forgery attacks when WordPress makes HTTP requests.
- Fixed a hash collision that could allow a user’s account to be compromised
- WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address.
Make sure to check any and all WordPress installations that you are using. Even the older versions may be compromised by potential issues.
WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.
We are grateful to the WordPress staff and community for their continued efforts in making WordPress updates and keeping this software secure. They put in a ton of time and effort and the best thing you can do to show your appreciation is to update your blogs and avoid getting hacked.