WordPress 4.0.1 Updates Millions of Sites for 8 Flaws
The content management and blogging system automatically updates users for cross-site scripting, request forgery and password-reset-attack protection.Millions of open-source WordPress site owners received email notifications over the last 24 hours advising them of a site update. The new WordPress 4.0.1 update provides multiple security fixes and data-hardening improvements to help secure WordPress sites. The WordPress 4.0.1 update is the first incremental update for WordPress since the 4.0 release in September. The 4.0.1 update provides 23 bug fixes and an additional 8 security vulnerability fixes. Among the security updates in the 4.0.1 release are fixes for three cross-site scripting (XSS) vulnerabilities. An XSS vulnerability can potentially enable an attacker to inject malicious code in a trusted site. Passwords are always a target for attackers, and the WordPress 4.0.1 update includes a number of updates related to password security. There is a fix for what WordPress describes as a "cross-site request forgery that could be used to trick users into changing their passwords." Cross-site request forgery (CSRF) is another common form of attack in which an authenticated user is somehow tricked into performing an action.
A common feature for many content management and blogging platforms, including WordPress, is a user password reset feature for a forgotten email. With the password reset, the user clicks a button to send a reset email in the event of a forgotten password. Password resets can also be a path to exploitation for attackers. A fix in the WordPress 4.0.1 update mitigates one such password-reset risk, by invalidating a password-reset email link if the user actually remembers the password, logs into the site and changes the associated email address.