Multiple Critical Vulnerabilities in WordPress Core

WordPress 4.0.1 has just been released and with it the announcement that multiple critical vulnerabilities have been discovered and fixed in several versions of WordPress Core including the current version 4.0.

We strongly recommend that you immediately upgrade to WordPress 4.0.1. With this release the existence of the vulnerabilities has now been made public. The researchers have not released technical details or exploits, but the knowledge that these exist is enough to create a significant risk that exploits will appear in the wild shortly.

WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.

WordPress 4.0 is affected by the following vulnerabilities which have been fixed in 4.0.1:

  • Three cross-site scripting issues that a contributor or author could use to compromise a site.
  • A cross-site request forgery that could be used to trick a user into changing their password.
  • An issue that could lead to a denial of service when passwords are checked.
  • Additional protections for server-side request forgery attacks when WordPress makes HTTP requests.
  • An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008.
  • WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address.
  • Version 4.0.1 also fixes 23 bugs with 4.0, and makes two hardening changes, including better validation of EXIF data extracted from uploaded photos.

Please spread the word as fast as possible that it’s critically important to update to WordPress 4.0.1 now and help keep the community secure.

Kudos to the WP Core team for their response to this and for getting these fixes out. The official release announcement is here along with credit to the researchers who found the vulnerabilities.

Did you enjoy this post? Share it!


  • I have updated this morning

  • Far out.

    Its been a long time since this bad an issue has been raised with WordPress. I just hope that the big sites get their stuff updated ASAP.

    An update a day keeps the script-kiddies at bay :D

    • LOL. Going to quote that.

    • I think WordPress 2.3.2 in 2008 was when the last core vulnerability was detected.

  • Dear Wordfence, you emails always scare the crap out of me.
    All updatede nicely, thanks for the warning.

    • Dear Mrfoxtalbot: Sorry about that. The world is a scary place. ;-)



  • From the main post, it reads as though 3.9.3 is not affected by any of these vulnerabilities - is that correct? I just ask because although I had anyway been planning to upgrade to 4.0, it's just a tad inconvenient right now.

    • Hi Ron,

      From the article: "If you are still on WordPress 3.9.2, 3.8.4, or 3.7.4, you will be updated to 3.9.3, 3.8.5, or 3.7.5 to keep everything secure.". So that's my reading too: that presumably 3.9.3 is secure.

  • Thanks, Mark

  • First I want to thank you for providing this great security plugin.

    Yesterday evening (CET) I checked and found my website was updated to 4.0.1 automatically. This morning I was quite surprised I found a Wordfence alert e-mail that during the night it had found a lot of critical problems because WP Core files were modified.

    I just ran a scan and it seems that your repository is not updated to 4.0.1 yet. How long will this normally take to update? Or am I in real trouble now....

    Another thing is that I use a localized (NL-Dutch) WordPress version. A Wordfence scan finds WordPress wp-includes/version.php is modified, because of the additional line: "$wp_local_package = 'nl_NL';".

    I've now marked this file as "ignored" but whenever this file gets changed I will not be notified about it. I would like to mark this file as "valid" so I'll be notified about any other changes to this file in the future. Or maybe you could add all local WP versions to your repository...

    Something for a next Wordfence release? I think a lot of foreign users will like it.



    • Update:

      There happened to be translation issues with the first release of the Dutch - NL WordPress 4.0.1 security release causing Wordfence scan to alert.

      I guess the Dutch - NL file have been reproduced correctly, since a reinstall of 4.0.1 solved my (and other NL WordPress users) issue.

  • Thanks for the timely and vital information!