WordPress 4.0.1 is now available for download. This is a critical security release for all previous versions. What’s new in this release?
better validation of EXIF data we are extracting from uploaded photos.
Three cross-site scripting issues that a contributor or author could use to compromise a site.
A cross-site request forgery that could be used to trick a user into changing their password.
An issue that could lead to a denial of service when passwords are checked.
Additional protections for server-side request forgery attacks when WordPress makes HTTP requests.
An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008.
WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address.