WordPress 4.0.1 is a Critical Security Release that Fixes a Cross-Site Scripting Vulnerability

WordPress core contributors released a security update today. All users who have not yet received the automatic update are encouraged to update as soon as possible. WordPress 4.0.1 is a critical security release that provides a fix for a critical cross-site scripting vulnerability, originally reported by Jouko Pynnonen on September 26th.

Sites running WordPress versions 3.9.2 and earlier are affected by the vulnerability. Although installs running 4.0 are not specifically affected, this security update also includes fixes for 23 bugs and eight security issues.

According to the official WordPress version usage stats, only 14.4% of sites are currently running 4.0. This means that the vast majority of WordPress sites and in need of this critical update. A large number of those sites are also running versions that pre-date the automatic background updates that were introduced in WordPress 3.7.

wp-versions

If you want to keep your site on the cutting edge of security updates, it’s critical to have automatic background updates enabled. If you haven’t manually turned them off, WordPress 3.7+ has automatic updates enabled for minor releases by default. This includes maintenance, security, and translation file updates.

Millions of WordPress sites around the web are being updated to 4.0.1 right now and older releases will be updated to 3.9.3, 3.8.5, or 3.7.5, as outlined in Andrew Nacin’s security release announcement. If you don’t want to wait for the automatic update, you can always go to Dashboard → Updates in the admin and update immediately.

27 Comments


  1. Unbelievable that only 14.4% of WordPress sites are on 4.0. I thought it is around 90%.
    Update WordPress is so simple and easy … Probably many people still prefer complicated things …

    Report


    1. Yeah, that is surprising. Most of the sites I peek at seem to be running 4.0 or at least 3.9. Probably a bunch of neglected old sites laying around.

      Report


    2. Most people that don’t update are afraid that the upgrade might break their themes (and most of the times, a major update does break the theme).

      Report


    3. Maybe they have other, important things to do than updating some technology to some other technology?

      Report


  2. The wordpress update 4.0.1 broke the Cool Video Gallery plugin. I had to roll back to wordpress 4.0 to get the CVG working again.

    Report


    1. Also broke imagemapper – appears to be an issues with quotation marks being “curled” before passing to the plug-in for processing (it imprpoerly uses a “add_filter” that preg’s the shortcode instead of the proper “add_shortcode”…)

      Report


  3. Oh man.

    Its been a very long time since such a big exploit was released against a current wordPress version. I just hope no serious attacks are executed from this vulnerability.

    Report


  4. Wow, nice. My site was automagically updated to the latest version 4.0.1 even before I finish reading this post :-)

    Report


  5. The truly scary thing is that according to https://wordpress.org/about/stats/ more than 50% of WordPress sites are on 3.6 or older. There is no automatic update to patch the security issue for those sites.

    That means more than 50% of the WordPress sites out there are vulnerable to people dropping appropriately formatted JavaScript in a comment. Drop a comment and redirect all users loading that page to a different website.

    It just goes so show that automatic updates for security releases are truly great! Well done to the devs that got that into core! But there’s still a lot of vulnerable websites out there. :(

    Report


    1. I think its ok, these outdated site has to be hacked and sooner its better. Then owner/developer probably will delete it or change and update.

      Report


      1. Oh yeah, up to 12% of the Internet redirecting visitors to malware sites. That’ll teach them! :)

        Report


  6. Ahhh, that satisfying glow of waking to “OMFG the world is ending! UP DATE NOW!!!” news from WordPress land, then checking my email and seeing a message from hours beforehand which says “Your WordPress installation has been updated to version 4.0.1”. Automatic updates FTW :)

    Report


  7. Automatically broke several of our sites. Plugins stopped working, themes not working. Been a nightmare of a day…

    Report


  8. I’ve had the automatic update overnight on20/21st November. Now I can’t even get onto my site! I’m at a loss how to get to the DashBoard or the site to get my site back up again :( Very unhappy!!

    Report


    1. Annie, you can activate wp_debug in your wp-config.php file to get a PHP error. That should give you the location of the file causing the issues.

      Report


    2. If you have any plugins installed which use “shortcodes”, try deleting them and see if that automatically fixes it.

      I put shortcodes in quote marks above, as the plugin probably isn’t using actual WordPress shortcodes, but is using it’s own system instead.

      If you can pinpoint a problem plugin, then go see if there is an update for it. If there is no update available, or if an update doesn’t fix the problem, then post a question in the WordPress.org support forums about it and post a link to it here. If no one on dot org beats me to it, then I’ll take a look at the code and try to work out a fix for you.

      Report


  9. I’m a little surprised that there hasn’t been more discussion on the Internet about the vulnerability affecting 3.0 to 3.9.2.

    I get that no one likes it when everyone jumps on the let’s bash WordPress security bandwagon, but there is such a thing as responsible disclosure. This vulnerability is extremely serious and very widespread, so I think more effort should be made to let people know, even if that results in some of those posts we all hate.

    I guess I’m influenced by the fact that a) I have a copy of the proof of concept code to exploit the vulnerabilty and b) I was in the middle of the response to the Slider Revolution vulnerability.

    I’ve seen how easy it is to hack a site with this. Find any site running 3.0 to 3.6 (12% of the entire Internet) with comments enabled and you can exploit it. If they don’t have moderation turned on, you can instantly redirect any page to the page of your choosing for all visitors. I have a video of how easy it is on my website. Not to mention you can add an admin user when it’s run on the backend.

    So this looks more serious than the rev slider one. Also, the rev slider one potentially affected up to 1000 themes (it turned out only 338 were actually affected). This one affects 12% of the entire internet!

    The rev slider author was highly criticised for not making everyone aware of the issue. They were notified of a vulnerabilty, fixed it and then released an update marked as containing a security fix. That wasn’t enough – people said they should have done more to make all users aware of how serious it was.

    In this case, the WordPress project was notified of a vulnerability, they fixed it and then released an automatic update (yay!). They also released a post saying there was a critical security issue, which is more than what the rev slider author did. But more than half the affected users didn’t get updated automatically. How many of those will actually see the blog post about the vulnerabilty? Maybe a few will see it in the dashboard. But have we really done everything we can to make all users aware of how serious it is (the thing that the rev slider author was accused of not doing)?

    The first thing most of the 12% are going to know about this is when they get hacked. I guess that’s fine? Serves them right for not staying updated? I’ve seen people express that sentiment. Personally, I think we can do a better job of getting the word out.

    I guess we were lucky in the rev slider case because once it did get wider exposure, Envato could step in and email everyone who had ever purchased a potentially affected theme. There’s no one to do that in this case… Which means the only alternative is spread this news far and wide by writing about how serious it is and how many people are affected.

    Anyway, sorry for the rant. I’m just genuinely surprised how this has been like a pebble dropped in the ocean (compared to a boulder being dropped in for the rev slider one). Somehow, I was expecting more.

    Report


    1. Well the problem was fixed. So I don’t think anyone can be bothered putting energy into helping people who put themselves in this situation voluntarily.

      Report


  10. If anyone is having trouble with the visuallightbox plugin, this fixed it:

    Open up the visuallightbox.php file.

    Add this function right above the line that says // initialization

    function visuallightboxtag_func($atts) {
    return visuallightbox($atts[‘id’], false);

    }

    then comment out the add_filter and add the add_shortcode lines below

    //add_filter(‘the_content’, ‘visuallightbox_injection’);
    add_shortcode(‘visuallightbox’, ‘visuallightboxtag_func’);

    Report

Comments are closed.