Seems that the only new dep in 4.0.1 (besides the themes, which should probably be re-merged if taking this route) is on ca-certificates.
In a pbuilder vanilla wheezy chroot, just installed current stable wordpress, then replaced with the built version and 3 themes using dpkg. Only extra package needed was ca-certificates. Which, obviously, is in stable. Craig - if you're going to do the work on backporting the fixes, you might also consider the likelihood of there being further such fixes required during the stable security support window. In this case already, the delay in getting a fixed version into the archive is probably long enough for these issues to be being exploited. Is there any reason to think we'd be able to be quicker next time? Cheers, Nick -- Nick Phillips / n...@debian.org / 03 479 4195 # These statements are mine, not those of the University of Otago