On 16 May 2017, WordPress 4.0.18 was released to the public.
Installation/Update Information
To download WordPress 4.0.18, update automatically from the Dashboard > Updates menu in your site’s admin area or visit https://wordpress.org/download/release-archive/.
For step-by-step instructions on installing and updating WordPress:
If you are new to WordPress, we recommend that you begin with the following:
- New To WordPress – Where to Start
- First Steps With WordPress or Upgrading WordPress Extended
- WordPress Lessons
Summary
From the WordPress 4.7.5 release post: WordPress versions 4.7.4 and earlier are affected by six security issues:
- Insufficient redirect validation in the HTTP class. Reported by Ronni Skansing.
- Improper handling of post meta data values in the XML-RPC API. Reported by Sam Thomas.
- Lack of capability checks for post meta data in the XML-RPC API. Reported by Ben Bidner of the WordPress Security Team.
- A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog. Reported by Yorick Koster.
- A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Reported by Ronni Skansing.
- A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Reported by Weston Ruter of the WordPress Security Team.
List of Files Revised
wp-includes/class-wp-customize-manager.php wp-includes/version.php wp-includes/js/plupload/handlers.js wp-includes/js/plupload/handlers.min.js wp-includes/class-wp-xmlrpc-server.php readme.html wp-admin/customize.php wp-admin/includes/file.php wp-admin/about.php wp-admin/js/customize-controls.min.js wp-admin/js/customize-controls.js