WordPress 4.0 was released 2 months back on 4th September, 2014 (Oh My Birthday 😉 ) and there were 8 security bug fix patched in security update in WordPress Version 4.0.1 on 20th November,2014. It has not only affected WordPress 4.0. It has affected other lower versions as well.
Latest release fixes following vulnerabilities:
- 3 XSS vulnerabilities where contributor or author could compromise the site.
- 1 CSRF (Cross Site Request Forgery) vulnerability to trick a user to change the site password
- 1 addition protection has been added to check SSRF (Server Side Request Forgery) while making HTTP requests.
- 1 hash collision bug which may lead to account compromise, although it’s rare but may be possible.
- Functionality bug while checking password which could lead to DoS attack.
- Added extra check to invalidate the links in a password reset email if the user remembers password, logs in, or/and changes email address.
For More details, check WordPress Blog for this release: https://wordpress.org/news/2014/11/wordpress-4-0-1/
If you are running
- 0, then update to 4.0.1.
- 9.2 or lower, then update to 3.9.3
- 8.4 or lower, then update to 3.8.5
- 7.5 or lower, then update to 3.7.5
- 6 Or lower, then May God help you and your site 😉 Please use only the latest WordPress version and make your site less vulnerable at least. (Who knows there are more vulnerabilities awaiting soon)
Check below link for CVE Details for all known WordPress vulnerabilities
Most of the Hacked WordPress sites (more than 80%) are because they are not properly update or upgraded. This image really makes sense. Please try to update your WordPress site asap.
If you want to auto update WP Core updates for minor and major release you may think of adding below line in wp-config.php
define( 'WP_AUTO_UPDATE_CORE', true );
If you need any other details regarding enabling/disabling auto update feature for core WordPress version or theme, plugins etc. Then check the below link:
Files updated in this release are:
Those who are interested in testing new features in next release i.e. WordPress 4.1 (scheduled to release on 10th December,2014), they can download WordPress 4.1 and play with it (not in live site please)
Check all the WordPress Version release so far here: https://wordpress.org/download/release-archive/