WordPress 4.0.1 is now available. This is a critical security release for all previous versions and we strongly encourage our customers (and all WordPress users) to update your WordPress sites immediately.
Sites that support automatic background updates will be updated to WordPress 4.0.1 within the next few hours. If you are still on WordPress 3.9.2, 3.8.4, or 3.7.4, you will be updated to 3.9.3, 3.8.5, or 3.7.5 to keep everything secure. (We don’t support older versions, so please update to 4.0.1 for the latest and greatest.)
WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Jouko Pynnonen. This issue does not affect version 4.0, but version 4.0.1 does address these eight security issues:
WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address.
Further information about this WordPress release can be found at https://wordpress.org/news/2014/11/wordpress-4-0-1/
If you need any help updating your site or plugins, please get in touch.