WordPress 4.7.1 Security Release

Posted by Andrei on January 12, 2017 in WordPress

WordPress just released its latest version 4.7.1 as a security and maintenance release for all previous versions. We advise all our users to update to the latest version as soon as possible.

This security release fixes eight security issues that were reported after the release of the major version in December 2016. The version also fixes over sixty bugs from the previous version 4.7.

Here’s the list of all eight main security issues as listed on WordPress blog for the latest update.

  • PHPMailer update fixing Remote code execution (RCE) – WordPress uses PHPMailer library as the basis for its email functionality.
  • The REST API issue that exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.
  • Cross-site scripting (XSS) via the plugin name or version header on update-core.php.
  • Cross-site request forgery (CSRF) bypass via uploading a Flash file.
  • Cross-site scripting (XSS) via theme name fallback.
  • Post via email checks mail.example.com if default settings aren’t changed.
  • A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing.
  • Weak cryptographic security for multisite activation key.

The update includes fixes to the bundled theme, Comments, Customizer, Editor, HTTP API, Media, and Rest API among others. Please see the complete list of bug fixes on the codex page for 4.7.1 update.

Your website should be automatically updated, but if you don’t want to wait, browse to Dashboard > Updates and click the Update Now button.

Tags :  ,