The content management and blogging system automatically updates users for cross-site scripting, request forgery and password-reset-attack protection.
Millions of open-source WordPress site owners received email notifications over the last 24 hours advising them of a site update. The new WordPress 4.0.1 update provides multiple security fixes and data-hardening improvements to help secure WordPress sites.
The WordPress 4.0.1 update is the first incremental update for WordPress since the 4.0 release in September. The 4.0.1 update provides 23 bug fixes and an additional 8 security vulnerability fixes.
Among the security updates in the 4.0.1 release are fixes for three cross-site scripting (XSS) vulnerabilities. An XSS vulnerability can potentially enable an attacker to inject malicious code in a trusted site. Passwords are always a target for attackers, and the WordPress 4.0.1 update includes a number of updates related to password security.
There is a fix for what WordPress describes as a “cross-site request forgery that could be used to trick users into changing their passwords.” Cross-site request forgery (CSRF) is another common form of attack in which an authenticated user is somehow tricked into performing an action.
A common feature for many content management and blogging platforms, including WordPress, is a user password reset feature for a forgotten email. With the password reset, the user clicks a button to send a reset email in the event of a forgotten password. Password resets can also be a path to exploitation for attackers. A fix in the WordPress 4.0.1 update mitigates one such password-reset risk, by invalidating a password-reset email link if the user actually remembers the password, logs into the site and changes the associated email address.
There is also an update in WordPress 4.0.1 to limit the risk of a denial-of-service (DoS) attack when passwords are being checked.
The security and bug fix update for WordPress users is being automatically delivered to those already running the WordPress 4.0 release. WordPress has provided automatic updating for incremental security and bug-fix updates since the WordPress 3.7 release in October 2013.
The automatic updates, however, do not kick in for major milestone releases. As such, for example, a WordPress 3.7.x user would not be automatically updated to the new WordPress 4.0.1 release. Instead, WordPress has provided incremental updates for the older WordPress release with 3.7.5, 3.85 and 3.9.3 update releases providing fixes for critical security issues.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Article source: http://www.eweek.com/security/wordpress-4.0.1-updates-millions-of-sites-for-8-flaws.html