WordPress Unveils Version 4.0.1 and Fixes all Security holes in Earlier Versions

WordPress latest security advisory fixes all know vulnerabilities in its online publishing sites including a security hole that allowed a malicious hacker to gain administrative rights to a site. The company also unleashed the youngest 4.0.1 WordPress Version which promises a safe haven free from all vulnerabilities.

WordPress users can now blog their nights away, after WordPress.org released a new security update to fix all know vulnerabilities marring the online publishing site for months. While announcing the “critical security” fixes for previous WordPress versions, the company also unleashed a new 4.0.1 version which is void of all flaws.

“Sites that support automatic background updates will be updated to WordPress 4.0.1 within the next few hours. If you are still on WordPress 3.9.2, 3.8.4, or 3.7.4, you will be updated to 3.9.3, 3.8.5, or 3.7.5 to keep everything secure,” stated WordPress.org in a blog adding that the company will no longer support older versions.

Security researcher, Jouko Pynnonen had unearthed a cross scripting vulnerability that affected all WordPress versions before 3.9.2.  A malicious hacker could exploit the flaw to gain administrative rights to a system.  To compromise a site, a hacker would insert a malicious JavaScriptin a comment, which would be automatically executed when the target user “views it, either on a blog post, a page, or in the Comments section of the administrative Dashboard,” stated Klikki’s security advisory.

In a typical case, the “attacker leaves a comment containing the JavaScript and some links in order to put the comment in the moderation queue.” The JavaScript gets executed gaining the current administrative rights of the current user. For instance, if the current user uses the administrators Dashboard to review the comments, the JavaScript automatically gains the site admin’s privileges allowing the attacker to gain full control of the site.

WordPress security update also addressed another security hole which allowed a hacker to compromise a WordPress Account by tricking the user to change their password through links sent via emails. WorPress.org now says the company “now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address.”

The latest release 4.0.1 is now a total package that fixes a total of 23 bugs found in earlier versions. WordPress urged its customers still using earlier versions to Downloadversion 4.0.1 or simply hit the “update now” button on their dashboard. Klikki also issued a security Workaround in on its advisory that would prove useful to those who won’t let go their older WordPress version.

Lawrence Mwangi Lawrence is a technology and business reporter. He has freelanced for a number of tech sites and magazines. He is a web-enthusiast, with a special interest in Online security, Entrepreneurship and Innovation. When not writing about tech he can be found in a Tennis court or on a chess board.
Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.