WordPress, the open-source blogging and CMS platform, has released version 4.7.1, a security update to version 4.7.
The update fixes eight (8) major security issues as well as sixty-two (62) other various bugs found in 4.7.
Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release.
The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.
Cross-site scripting (XSS) via the plugin name or version header on update-core.php.
Cross-site request forgery (CSRF) bypass via uploading a Flash file.
Cross-site scripting (XSS) via theme name fallback.
Post via email checks mail.example.com if default settings aren’t changed.
A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing.
Weak cryptographic security for multisite activation key.
It is strongly encouraged that you update your version of WordPress as soon as possible to avoid possible exploitations. As always, I also encourage everyone to read through the changelog to see what was fixed or what could be a potential issue in the future.
WordPress (WP) has released version 4.7 of their blogging and content management software. It has been codenamed in honor of the legendary jazz vocalist Sarah “Sassy” Vaughan. Here are some of the new features:
As always, new version, new theme…
Theme Starter Content
When you setup a new theme with no content, the theme can provide some starter content to show off it’s capabilities.
New icons appear in the Customizer to show what content can be changed in real-time within the live preview.
Video headers can be added to themes with a video selector that shows up in the Customizer.
Blank Pages During Menu Creation
If you don’t have content for your site yet but know how you want your menu structured, the menu editor now allows creating blank pages on the fly while setting up the menu.
Custom CSS can be added through the Customizer (note that such file-editing features are often disabled on most hosts as they often are the source of exploits and malware).
PDF Thumbnail Previews
PDFs that are uploaded now generate image previews just like images:
Dashboard in your language
The admin can now have it’s own per-user language set.
REST API Content Endpoints
Endpoints for posts, comments, terms, users, meta, and settings are provided by default in this version as they continue to build in the API components.
Post Type Templates for All
Post type templates are now available for all custom post types.
Custom Bulk Actions
One of the most-often requested features is now available in this version. In the past, adding custom bulk actions required a lot of hacking and going around the existing code. Now there are built-in functions to assist with adding custom actions that can be applied to many posts at once.
The code that runs the actions and hooks has been rewritten, fixed a number of bugs, and added a few new capabilities.
Settings Registration API
The register_setting() function has been updated to include type, description, and REST API visibility.
A new post status (customize_changeset) that is created when something is changed in the Customizer prior to being published. [More Information]