WordPress recently released an update that had multiple security patches for their (then) current version 4.0. This release is 4.0.1 and includes important security fixes. The Debian packages got just uploaded, if you are running the Debian packaged wordpress, you should update to 4.0.1+dfsg-1 or later.
I am going to look at these patches and see if they can and need to be backported to wordpress 3.6.1. Unfortunately I believe they will be. I’m also asking it to be unblocked into Jessie as it is a security fix.
There was, at the time of writing, no CVE numbers.
Planet Debian: Craig Small: WordPress 4.0.1 for Debian http://t.co/rAfcm4ZtgN
@planetdebian: Craig Small: WordPress 4.0.1 for Debian http://t.co/zBXYJDgcZZ #arsipweb
#WordPress 4.0.1 for #Debian http://t.co/iREYccd7Fx
The CVE numbers are out and are the following:
– CVE-2014-9031 XSS in wptexturize() via comments or posts
– CVE-2014-9033 CSRF in the password reset process
– CVE-2014-9034 Denial of service for giant passwords
– CVE-2014-9035 XSS in Press This
– CVE-2014-9036 XSS in HTML filtering of CSS in posts
– CVE-2014-9037 Hash comparison vulnerability in old passwords
– CVE-2014-9038 SSRF: Safe HTTP requests did not sufficiently block
the loopback IP address space
– CVE-2014-9039 Email address change didn’t invalidate previously sent
Also 4.0.1-2 is just a language pack update.