Blogging, Information Security, Internet Related

WordPress 4.0.1 got released with many security updates

Time to update WordPress
Time to update WordPress

WordPress 4.0 was released 2 months back on 4th September, 2014 (Oh My Birthday πŸ˜‰ ) and there were 8 security bug fix patched in security update in WordPress Version 4.0.1 on 20th November,2014. It has not only affected WordPress 4.0. It has affected other lower versions as well.

Latest release fixes following vulnerabilities:

  • 3 XSS vulnerabilities where contributor or author could compromise the site.
  • 1 CSRF (Cross Site Request Forgery) vulnerability to trick a user to change the site password
  • 1 addition protection has been added to check SSRF (Server Side Request Forgery) while making HTTP requests.
  • 1 hash collision bug which may lead to account compromise, although it’s rare but may be possible.
  • Functionality bug while checking password which could lead to DoS attack.
  • Added extra check to invalidate the links in a password reset email if the user remembers password, logs in, or/and changes email address.

For More details, check WordPress Blog for this release:

If you are running

  • 0, then update to 4.0.1.
  • 9.2 or lower, then update to 3.9.3
  • 8.4 or lower, then update to 3.8.5
  • 7.5 or lower, then update to 3.7.5
  • 6 Or lower, then May God help you and your site πŸ˜‰ Please use only the latest WordPress version and make your site less vulnerable at least. (Who knows there are more vulnerabilities awaiting soon)

Check below link for CVE Details for all known WordPress vulnerabilities

Most of the Hacked WordPress sites (more than 80%) are because they are not properly update or upgraded. This image really makes sense. Please try to update your WordPress site asap.

WordPress blogs are not upgraded-Reasons for getting Hacked
WordPress blogs are not upgraded-Reasons for getting Hacked

If you want to auto update WP Core updates for minor and major release you may think of adding below line in wp-config.php

define( 'WP_AUTO_UPDATE_CORE', true );

If you need any other details regarding enabling/disabling auto update feature for core WordPress version or theme, plugins etc. Then check the below link:

Files updated in this release are:

  1. html
  2. wp-admin/about.php
  3. wp-admin/includes/class-wp-plugin-install-list-table.php
  4. wp-admin/includes/image.php
  5. wp-admin/includes/plugin-install.php
  6. wp-admin/includes/post.php
  7. wp-admin/js/editor-expand.js
  8. wp-admin/js/editor-expand.min.js
  9. wp-admin/js/media.js
  10. wp-admin/js/media.min.js
  11. wp-admin/plugin-install.php
  12. wp-admin/press-this.php
  13. wp-admin/upload.php
  14. wp-includes/canonical.php
  15. wp-includes/class-phpass.php
  16. wp-includes/css/media-views-rtl.css
  17. wp-includes/css/media-views-rtl.min.css
  18. wp-includes/css/media-views.css
  19. wp-includes/css/media-views.min.css
  20. wp-includes/formatting.php
  21. wp-includes/http.php
  22. wp-includes/js/media-grid.js
  23. wp-includes/js/media-grid.min.js
  24. wp-includes/js/media-views.js
  25. wp-includes/js/media-views.min.js
  26. wp-includes/js/mediaelement/flashmediaelement.swf
  27. wp-includes/js/mediaelement/mediaelement-and-player.min.js
  28. wp-includes/js/quicktags.js
  29. wp-includes/js/quicktags.min.js
  30. wp-includes/js/tinymce/plugins/wpeditimage/plugin.js
  31. wp-includes/js/tinymce/plugins/wpeditimage/plugin.min.js
  32. wp-includes/js/tinymce/plugins/wpview/plugin.js
  33. wp-includes/js/tinymce/plugins/wpview/plugin.min.js
  34. wp-includes/js/tinymce/wp-tinymce.js.gz
  35. wp-includes/kses.php
  36. wp-includes/link-template.php
  37. wp-includes/media-template.php
  38. wp-includes/media.php
  39. wp-includes/ms-functions.php
  40. wp-includes/pluggable.php
  41. wp-includes/post.php
  42. wp-includes/session.php
  43. wp-includes/user.php
  44. wp-includes/version.php
  45. wp-login.php

Those who are interested in testing new features in next release i.e. WordPress 4.1 (scheduled to release on 10th December,2014), Β they can download WordPress 4.1 and play with it (not in live site please)

Check all the WordPress Version release so far here:

Image Source(s):