WordPress core contributors released a security update today. All users who have not yet received the automatic update are encouraged to update as soon as possible. WordPress 4.0.1 is a critical security release that provides a fix for a critical cross-site scripting vulnerability, originally reported by Jouko Pynnonen on September 26th.
Sites running WordPress versions 3.9.2 and earlier are affected by the vulnerability. Although installs running 4.0 are not specifically affected, this security update also includes fixes for 23 bugs and eight security issues.
According to the official WordPress version usage stats, only 14.4% of sites are currently running 4.0. This means that the vast majority of WordPress sites and in need of this critical update. A large number of those sites are also running versions that pre-date the automatic background updates that were introduced in WordPress 3.7.
If you want to keep your site on the cutting edge of security updates, it’s critical to have automatic background updates enabled. If you haven’t manually turned them off, WordPress 3.7+ has automatic updates enabled for minor releases by default. This includes maintenance, security, and translation file updates.
Millions of WordPress sites around the web are being updated to 4.0.1 right now and older releases will be updated to 3.9.3, 3.8.5, or 3.7.5, as outlined in Andrew Nacin’s security release announcement. If you don’t want to wait for the automatic update, you can always go to Dashboard → Updates in the admin and update immediately.