On May 6, 2015, WordPress 4.0.5 was released to the public, along with WordPress 4.2.2. This is both a security update for all previous WordPress versions, and a maintenance release for versions 4.0 and newer.
To download WordPress 4.0.5, update automatically from the Dashboard > Updates menu in your site's admin area or visit https://wordpress.org/download/release-archive/.
For step-by-step instructions on installing and updating WordPress:
If you are new to WordPress, we recommend that you begin with the following:
From the announcement post, WordPress 4.0.5 fixes a cross-site scripting vulnerability contained in an HTML file shipped with recent Genericons packages included in the Twenty Fifteen theme as well as a number of popular plugins by removing the file. Auto-updates and manual updates will remove this file, however manual installations and those using VCS checkout (like SVN) will not remove this file. Version 4.0.5 also improves on a fix for a critical cross-site scripting vulnerability introduced in 4.0.4.
The release also includes hardening for a potential cross-site scripting vulnerability when using the Visual editor.
WordPress 4.0.5 also contains fixes for 3 bugs from 4.0.4, including:
wp-admin/includes/upgrade.php wp-admin/includes/update-core.php wp-admin/about.php wp-includes/compat.php wp-includes/js/tinymce/plugins/wordpress/plugin.js wp-includes/wp-db.php wp-includes/version.php readme.html