Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

WordPress 4.7.1 Security Release with PHPMailer Fix

This entry was posted in Vulnerabilities, WordPress Security on January 13, 2017 by Mark Maunder   7 Replies

WordPress 4.7.1 was released on Wednesday. It contains 8 security fixes including a fix for the PHPMailer issue, which we reported on in late December.

While there are no known publicly available exploits for the PHPMailer issue, it is an especially high risk vulnerability. If exploited, the remote code execution (RCE) vulnerability could allow an attacker to execute malicious code on a victim’s website, ultimately taking full control of the site.

Among the other fixes included in this release is a security update to the WordPress REST API. As we reported on our blog in early December, user data for post authors was exposed by default, enabling username harvesting. Wordfence users running version 6.2.8 and later are already protected.

Details for the remaining 6 vulnerabilities:

  • Cross-site scripting (XSS) via the plugin name or version header on update-core.php
  • Cross-site request forgery (CSRF) bypass via uploading a Flash file
  • Cross-site scripting (XSS) via theme name fallback
  • Post via email checks mail.example.com if default settings aren’t changed
  • A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing
  • Weak cryptographic security for multisite activation key

The release also fixes 61 bugs from version 4.7.

Your site should have been automatically updated to WordPress 4.7.1 by now if you have a default WordPress configuration. If your site has not been updated, you should upgrade at your earliest convenience.

Did you enjoy this post? Share it!

7 Comments on "WordPress 4.7.1 Security Release with PHPMailer Fix"

Josh Popichak January 13, 2017 at 9:53 am

For some reason the automatic upgrade failed on my site and I can't figure out how to upgrade it manually... I am getting frustrated because it's slow and wonky now. Help, please?

Mark Maunder January 13, 2017 at 11:20 am

Sorry Josh, we don't provide support here and we don't support WordPress - just our own product. I suggest you try the wordpress.org forums.

James Taiwo January 13, 2017 at 10:30 am

Thanks for this important updates and thanks for keeping us in the loop as well.

John January 14, 2017 at 9:30 am

"In the loop" - is that a WordPress joke...? :)

Muhammad Imran Nazish January 13, 2017 at 12:03 pm

Thank you very much for sharing this information with us.

John Colascione January 13, 2017 at 4:28 pm

Appreciate all of the updates your team sends out. "WordFence (these guys are great over there)."

pl80 January 20, 2017 at 1:42 am

Thanks guys, we've updated rightaway.

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 100 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates