Multiple Critical Vulnerabilities in WordPress Core
WordPress 4.0.1 has just been released and with it the announcement that multiple critical vulnerabilities have been discovered and fixed in several versions of WordPress Core including the current version 4.0.
We strongly recommend that you immediately upgrade to WordPress 4.0.1. With this release the existence of the vulnerabilities has now been made public. The researchers have not released technical details or exploits, but the knowledge that these exist is enough to create a significant risk that exploits will appear in the wild shortly.
WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.
WordPress 4.0 is affected by the following vulnerabilities which have been fixed in 4.0.1:
- Three cross-site scripting issues that a contributor or author could use to compromise a site.
- A cross-site request forgery that could be used to trick a user into changing their password.
- An issue that could lead to a denial of service when passwords are checked.
- Additional protections for server-side request forgery attacks when WordPress makes HTTP requests.
- An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008.
- WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address.
- Version 4.0.1 also fixes 23 bugs with 4.0, and makes two hardening changes, including better validation of EXIF data extracted from uploaded photos.
Please spread the word as fast as possible that it’s critically important to update to WordPress 4.0.1 now and help keep the community secure.
Kudos to the WP Core team for their response to this and for getting these fixes out. The official release announcement is here along with credit to the researchers who found the vulnerabilities.