WordPress 4.0.1 is a Critical Security Release that Fixes a Cross-Site Scripting Vulnerability

WordPress core contributors released a security update today. All users who have not yet received the automatic update are encouraged to update as soon as possible. WordPress 4.0.1 is a critical security release that provides a fix for a critical cross-site scripting vulnerability, originally reported by Jouko Pynnonen on September 26th.

Sites running WordPress versions 3.9.2 and earlier are affected by the vulnerability. Although installs running 4.0 are not specifically affected, this security update also includes fixes for 23 bugs and eight security issues.

According to the official WordPress version usage stats, only 14.4% of sites are currently running 4.0. This means that the vast majority of WordPress sites and in need of this critical update. A large number of those sites are also running versions that pre-date the automatic background updates that were introduced in WordPress 3.7.


If you want to keep your site on the cutting edge of security updates, it’s critical to have automatic background updates enabled. If you haven’t manually turned them off, WordPress 3.7+ has automatic updates enabled for minor releases by default. This includes maintenance, security, and translation file updates.

Millions of WordPress sites around the web are being updated to 4.0.1 right now and older releases will be updated to 3.9.3, 3.8.5, or 3.7.5, as outlined in Andrew Nacin’s security release announcement. If you don’t want to wait for the automatic update, you can always go to Dashboard → Updates in the admin and update immediately.


27 responses to “WordPress 4.0.1 is a Critical Security Release that Fixes a Cross-Site Scripting Vulnerability”

  1. The truly scary thing is that according to https://wordpress.org/about/stats/ more than 50% of WordPress sites are on 3.6 or older. There is no automatic update to patch the security issue for those sites.

    That means more than 50% of the WordPress sites out there are vulnerable to people dropping appropriately formatted JavaScript in a comment. Drop a comment and redirect all users loading that page to a different website.

    It just goes so show that automatic updates for security releases are truly great! Well done to the devs that got that into core! But there’s still a lot of vulnerable websites out there. :(

  2. Ahhh, that satisfying glow of waking to “OMFG the world is ending! UP DATE NOW!!!” news from WordPress land, then checking my email and seeing a message from hours beforehand which says “Your WordPress installation has been updated to version 4.0.1”. Automatic updates FTW :)

    • If you have any plugins installed which use “shortcodes”, try deleting them and see if that automatically fixes it.

      I put shortcodes in quote marks above, as the plugin probably isn’t using actual WordPress shortcodes, but is using it’s own system instead.

      If you can pinpoint a problem plugin, then go see if there is an update for it. If there is no update available, or if an update doesn’t fix the problem, then post a question in the WordPress.org support forums about it and post a link to it here. If no one on dot org beats me to it, then I’ll take a look at the code and try to work out a fix for you.

  3. I’m a little surprised that there hasn’t been more discussion on the Internet about the vulnerability affecting 3.0 to 3.9.2.

    I get that no one likes it when everyone jumps on the let’s bash WordPress security bandwagon, but there is such a thing as responsible disclosure. This vulnerability is extremely serious and very widespread, so I think more effort should be made to let people know, even if that results in some of those posts we all hate.

    I guess I’m influenced by the fact that a) I have a copy of the proof of concept code to exploit the vulnerabilty and b) I was in the middle of the response to the Slider Revolution vulnerability.

    I’ve seen how easy it is to hack a site with this. Find any site running 3.0 to 3.6 (12% of the entire Internet) with comments enabled and you can exploit it. If they don’t have moderation turned on, you can instantly redirect any page to the page of your choosing for all visitors. I have a video of how easy it is on my website. Not to mention you can add an admin user when it’s run on the backend.

    So this looks more serious than the rev slider one. Also, the rev slider one potentially affected up to 1000 themes (it turned out only 338 were actually affected). This one affects 12% of the entire internet!

    The rev slider author was highly criticised for not making everyone aware of the issue. They were notified of a vulnerabilty, fixed it and then released an update marked as containing a security fix. That wasn’t enough – people said they should have done more to make all users aware of how serious it was.

    In this case, the WordPress project was notified of a vulnerability, they fixed it and then released an automatic update (yay!). They also released a post saying there was a critical security issue, which is more than what the rev slider author did. But more than half the affected users didn’t get updated automatically. How many of those will actually see the blog post about the vulnerabilty? Maybe a few will see it in the dashboard. But have we really done everything we can to make all users aware of how serious it is (the thing that the rev slider author was accused of not doing)?

    The first thing most of the 12% are going to know about this is when they get hacked. I guess that’s fine? Serves them right for not staying updated? I’ve seen people express that sentiment. Personally, I think we can do a better job of getting the word out.

    I guess we were lucky in the rev slider case because once it did get wider exposure, Envato could step in and email everyone who had ever purchased a potentially affected theme. There’s no one to do that in this case… Which means the only alternative is spread this news far and wide by writing about how serious it is and how many people are affected.

    Anyway, sorry for the rant. I’m just genuinely surprised how this has been like a pebble dropped in the ocean (compared to a boulder being dropped in for the rev slider one). Somehow, I was expecting more.

  4. If anyone is having trouble with the visuallightbox plugin, this fixed it:

    Open up the visuallightbox.php file.

    Add this function right above the line that says // initialization

    function visuallightboxtag_func($atts) {
    return visuallightbox($atts[‘id’], false);


    then comment out the add_filter and add the add_shortcode lines below

    //add_filter(‘the_content’, ‘visuallightbox_injection’);
    add_shortcode(‘visuallightbox’, ‘visuallightboxtag_func’);


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: