Title: Version 4.0.18
Author: Subrata Sarkar
Published: January 14, 2019

---

# Version 4.0.18

## In this article

 * [Installation/Update Information](https://wordpress.org/documentation/wordpress-version/version-4-0-18/?output_format=md#installation-update-information)
 * [Summary](https://wordpress.org/documentation/wordpress-version/version-4-0-18/?output_format=md#summary)
 * [List of Files Revised](https://wordpress.org/documentation/wordpress-version/version-4-0-18/?output_format=md#list-of-files-revised)

[ Back to top](https://wordpress.org/documentation/wordpress-version/version-4-0-18/?output_format=md#wp--skip-link--target)

On 16 May 2017, WordPress 4.0.18 was released to the public.

## 󠀁[Installation/Update Information](https://wordpress.org/documentation/wordpress-version/version-4-0-18/?output_format=md#installation-update-information)󠁿

To download WordPress 4.0.18, update automatically from the Dashboard > Updates 
menu in your site’s admin area or visit [https://wordpress.org/download/release-archive/](https://wordpress.org/download/release-archive/).

For step-by-step instructions on installing and updating WordPress:

 * [Updating WordPress](https://codex.wordpress.org/Updating_WordPress)

If you are new to WordPress, we recommend that you begin with the following:

 * [New To WordPress – Where to Start](https://codex.wordpress.org/New_To_WordPress_-_Where_to_Start)
 * [First Steps With WordPress](https://codex.wordpress.org/First_Steps_With_WordPress)
   or [Upgrading WordPress Extended](https://codex.wordpress.org/Upgrading_WordPress_Extended)
 * [WordPress Lessons](https://codex.wordpress.org/WordPress_Lessons)

## 󠀁[Summary](https://wordpress.org/documentation/wordpress-version/version-4-0-18/?output_format=md#summary)󠁿

From the [WordPress 4.7.5 release post](https://wordpress.org/news/2017/05/wordpress-4-7-5/):
WordPress versions 4.7.4 and earlier are affected by six security issues:

 1. Insufficient redirect validation in the HTTP class. Reported by [Ronni Skansing](https://dk.linkedin.com/in/ronni-skansing-36143b65).
 2. Improper handling of post meta data values in the XML-RPC API. Reported by [Sam Thomas](https://hackerone.com/jazzy2fives).
 3. Lack of capability checks for post meta data in the XML-RPC API. Reported by [Ben Bidner](https://profiles.wordpress.org/vortfu/)
    of the WordPress Security Team.
 4. A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem
    credentials dialog. Reported by [Yorick Koster](https://twitter.com/yorickkoster).
 5. A cross-site scripting (XSS) vulnerability was discovered when attempting to upload
    very large files. Reported by [Ronni Skansing](https://dk.linkedin.com/in/ronni-skansing-36143b65).
 6. A cross-site scripting (XSS) vulnerability was discovered related to the Customizer.
    Reported by [Weston Ruter](https://profiles.wordpress.org/westonruter/) of the 
    WordPress Security Team.

## 󠀁[List of Files Revised](https://wordpress.org/documentation/wordpress-version/version-4-0-18/?output_format=md#list-of-files-revised)󠁿

    ```wp-block-preformatted
    wp-includes/class-wp-customize-manager.php
    wp-includes/version.php
    wp-includes/js/plupload/handlers.js
    wp-includes/js/plupload/handlers.min.js
    wp-includes/class-wp-xmlrpc-server.php
    readme.html
    wp-admin/customize.php
    wp-admin/includes/file.php
    wp-admin/about.php
    wp-admin/js/customize-controls.min.js
    wp-admin/js/customize-controls.js
    ```

First published

January 14, 2019

Last updated