WordPress 4.0.1

Welcome to WordPress 4.0.1

Three cross-site scripting issues that a contributor or author could use to compromise a site. Discovered by Jon Cave, Robert Chapin, and John Blackbourn of the WordPress security team.

A cross-site request forgery that could be used to trick a user into changing their password.

An issue that could lead to a denial of service when passwords are checked. Reported by Javier Nieto Arevalo and Andres Rojas Guerrero.

Additional protections for server-side request forgery attacks when WordPress makes HTTP requests. Reported by Ben Bidner (vortfu).

An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008 (I wish I were kidding). Reported by David Anderson.

WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address. Reported separately by Momen Bassel, Tanoy Bose, and Bojan Slavković of ManageWP.

I would say that it is mandatory to update your WordPress installation, because of these important security fixes.

Santa Monica, CA 90403, USA

© 37prime, 2006-2024. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to 37prime and content authors with appropriate and specific direction to the original content.

In the spirit of transparency, in contradiction to the site tagline, no we are not using the so called “A.I.” to write contents for this site.

One more thing… we love sarcasm and satire. We do have a failed comedian in our team.