1. petercralen

    Unbelievable that only 14.4% of WordPress sites are on 4.0. I thought it is around 90%.
    Update WordPress is so simple and easy … Probably many people still prefer complicated things …


  2. Keith Davis

    Thanks Sarah
    Just started getting the update emails coming through….


  3. Angus

    Thank you. Was wondering what was in the update.


  4. Louie Anderson

    The wordpress update 4.0.1 broke the Cool Video Gallery plugin. I had to roll back to wordpress 4.0 to get the CVG working again.


  5. Ben Casey

    Oh man.

    Its been a very long time since such a big exploit was released against a current wordPress version. I just hope no serious attacks are executed from this vulnerability.


  6. Joseph

    Wow, nice. My site was automagically updated to the latest version 4.0.1 even before I finish reading this post :-)


  7. Stephen Cronin

    The truly scary thing is that according to https://wordpress.org/about/stats/ more than 50% of WordPress sites are on 3.6 or older. There is no automatic update to patch the security issue for those sites.

    That means more than 50% of the WordPress sites out there are vulnerable to people dropping appropriately formatted JavaScript in a comment. Drop a comment and redirect all users loading that page to a different website.

    It just goes so show that automatic updates for security releases are truly great! Well done to the devs that got that into core! But there’s still a lot of vulnerable websites out there. :(


  8. Ryan Hellyer

    Ahhh, that satisfying glow of waking to “OMFG the world is ending! UP DATE NOW!!!” news from WordPress land, then checking my email and seeing a message from hours beforehand which says “Your WordPress installation has been updated to version 4.0.1”. Automatic updates FTW :)


  9. Digital Essence

    Automatically broke several of our sites. Plugins stopped working, themes not working. Been a nightmare of a day…


  10. Ipstenu (Mika Epstein)

    For what it’s worth, I’m adding all known plugin issues (and themes) to this post: https://wordpress.org/support/topic/issues-with-wordpress-401-and-shortcodes?replies=2

    The tl;dr is rolling your OWN shortcode instead of using the API was dangerous anyway. :/ Now you know why.


  11. Annie Conbou

    I’ve had the automatic update overnight on20/21st November. Now I can’t even get onto my site! I’m at a loss how to get to the DashBoard or the site to get my site back up again :( Very unhappy!!


    • Ben Casey

      Annie, you can activate wp_debug in your wp-config.php file to get a PHP error. That should give you the location of the file causing the issues.


    • Ryan Hellyer

      If you have any plugins installed which use “shortcodes”, try deleting them and see if that automatically fixes it.

      I put shortcodes in quote marks above, as the plugin probably isn’t using actual WordPress shortcodes, but is using it’s own system instead.

      If you can pinpoint a problem plugin, then go see if there is an update for it. If there is no update available, or if an update doesn’t fix the problem, then post a question in the WordPress.org support forums about it and post a link to it here. If no one on dot org beats me to it, then I’ll take a look at the code and try to work out a fix for you.


  12. neeleshchakrabortyit

    This update almost took my job … http://techie4wordpress.tk/wordpress-update/


  13. Stephen Cronin

    I’m a little surprised that there hasn’t been more discussion on the Internet about the vulnerability affecting 3.0 to 3.9.2.

    I get that no one likes it when everyone jumps on the let’s bash WordPress security bandwagon, but there is such a thing as responsible disclosure. This vulnerability is extremely serious and very widespread, so I think more effort should be made to let people know, even if that results in some of those posts we all hate.

    I guess I’m influenced by the fact that a) I have a copy of the proof of concept code to exploit the vulnerabilty and b) I was in the middle of the response to the Slider Revolution vulnerability.

    I’ve seen how easy it is to hack a site with this. Find any site running 3.0 to 3.6 (12% of the entire Internet) with comments enabled and you can exploit it. If they don’t have moderation turned on, you can instantly redirect any page to the page of your choosing for all visitors. I have a video of how easy it is on my website. Not to mention you can add an admin user when it’s run on the backend.

    So this looks more serious than the rev slider one. Also, the rev slider one potentially affected up to 1000 themes (it turned out only 338 were actually affected). This one affects 12% of the entire internet!

    The rev slider author was highly criticised for not making everyone aware of the issue. They were notified of a vulnerabilty, fixed it and then released an update marked as containing a security fix. That wasn’t enough – people said they should have done more to make all users aware of how serious it was.

    In this case, the WordPress project was notified of a vulnerability, they fixed it and then released an automatic update (yay!). They also released a post saying there was a critical security issue, which is more than what the rev slider author did. But more than half the affected users didn’t get updated automatically. How many of those will actually see the blog post about the vulnerabilty? Maybe a few will see it in the dashboard. But have we really done everything we can to make all users aware of how serious it is (the thing that the rev slider author was accused of not doing)?

    The first thing most of the 12% are going to know about this is when they get hacked. I guess that’s fine? Serves them right for not staying updated? I’ve seen people express that sentiment. Personally, I think we can do a better job of getting the word out.

    I guess we were lucky in the rev slider case because once it did get wider exposure, Envato could step in and email everyone who had ever purchased a potentially affected theme. There’s no one to do that in this case… Which means the only alternative is spread this news far and wide by writing about how serious it is and how many people are affected.

    Anyway, sorry for the rant. I’m just genuinely surprised how this has been like a pebble dropped in the ocean (compared to a boulder being dropped in for the rev slider one). Somehow, I was expecting more.


  14. Dave Evans

    If anyone is having trouble with the visuallightbox plugin, this fixed it:

    Open up the visuallightbox.php file.

    Add this function right above the line that says // initialization

    function visuallightboxtag_func($atts) {
    return visuallightbox($atts[‘id’], false);


    then comment out the add_filter and add the add_shortcode lines below

    //add_filter(‘the_content’, ‘visuallightbox_injection’);
    add_shortcode(‘visuallightbox’, ‘visuallightboxtag_func’);


Comments are closed.

%d bloggers like this: