WordPress 4.0.1 fixes 8 security risks and 23 bugs

WordPress 4.0.1 is now available. This is a critical update for the previous version, and it is strongly recommended to update your site immediately.
Web sites that support automatic background updates will automatically be updated to WordPress 4.0.1 over the next few hours. If you are still using WordPress 3.9.2, 3.8.4 or 3.7.4, you will be updated to 3.9.3, 3.8.5, 3.7.5. (We do not support the old version, so please update to the latest best 4.0.1)
WordPress version 3.9.2 and earlier are subject to a critical cross-site scripting vulnerability that could allow anonymous users to compromise the site. This issue does not affect the 4.0 version, but the 4.0.1 version solves the following eight security issues:
3 cross-site scripting problems that can be used by the contributor or author to destroy the site
A cross-site request forged can be used to trick users into changing passwords
1 question that may result in a denial of service when checking the password
When WordPress sends an HTTP request, additional server-side requests for an attack
A very unlikely hash conflict could have affected the user’s account, which also requires them to have not logged in since 2008 (I wish I was kidding)
WordPress now password reset the link in the message, if the user remembers their password, log in, can modify their email address.
4.0.1 also fixed 4.0 of the 23 bug, and we also made two hardening changes, including a better validation of the excerpt from the upload photos of EXIF ​​data.