Yesterday afternoon, WordPress announced a new critical security release, recommending that all users update their sites immediately.WordPress websites that support automatic updates were updated within a few hours of the release. Users who were running WordPress 3.9.2, 3.8.4, or 3.7.4 were updated to 3.9.3, 3.8.5, or 3.75 to keep everything secure. WordPress 3.9.2 and older versions were found to be affected by a critical cross-site scripting vulnerability – leaving the site open for anonymous users to attack. The issue does NOT affect version 4.0, however version 4.0.1 does address additional security issues including:
- 3 cross-site scripting issues that could compromise a site from a contributor or author.
- A cross-site request forgery that could trick a user into changing their password.
- An issue that could lead to a denial of service when passwords are checked.
- Additional protection for server-side request forgery attacks when WordPress makes HTTP requests.
- WordPress will now invalidate the link in a password reset email if the user remembers their password, logs in and changes their email address.