WordPress 4.0.1 is now available.
WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.
This is a critical security release for all previous versions, the vulnerabilities could allow attackers to create administrator accounts and take control of websites. Sites that support automatic background updates will be updated to WordPress 4.0.1 otherwise you need to update your sites immediately.
Jouko Pynnonen, the security researcher who found the flaw, said in an advisory:
“The JavaScript injected into a comment is executed when the target user views it, either on a blog post, a page, or in the Comments section of the administrative Dashboard. In the most obvious scenario the attacker leaves a comment containing the JavaScript and some links in order to put the comment in the moderation queue. The exploit is not then visible to normal users, search engines, etc. When a blog administrator goes to the Dashboard/Comments section to review new comments, the JavaScript gets executed. The script can then perform operations with administrator privileges.”
Official WordPress 4.0.1 Security Release announcement here