WordPress, the open-source blogging and CMS platform, has released version 4.7.1, a security update to version 4.7.
The update fixes eight (8) major security issues as well as sixty-two (62) other various bugs found in 4.7.
- Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release.
- The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.
- Cross-site scripting (XSS) via the plugin name or version header on update-core.php.
- Cross-site request forgery (CSRF) bypass via uploading a Flash file.
- Cross-site scripting (XSS) via theme name fallback.
- Post via email checks mail.example.com if default settings aren’t changed.
A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing.
- Weak cryptographic security for multisite activation key.
It is strongly encouraged that you update your version of WordPress as soon as possible to avoid possible exploitations. As always, I also encourage everyone to read through the changelog to see what was fixed or what could be a potential issue in the future.