WordPress 4.7.1 Security Release with PHPMailer Fix

WordPress 4.7.1 was released on Wednesday. It contains 8 security fixes including a fix for the PHPMailer issue, which we reported on in late December.

While there are no known publicly available exploits for the PHPMailer issue, it is an especially high risk vulnerability. If exploited, the remote code execution (RCE) vulnerability could allow an attacker to execute malicious code on a victim’s website, ultimately taking full control of the site.

Among the other fixes included in this release is a security update to the WordPress REST API. As we reported on our blog in early December, user data for post authors was exposed by default, enabling username harvesting. Wordfence users running version 6.2.8 and later are already protected.

Details for the remaining 6 vulnerabilities:

  • Cross-site scripting (XSS) via the plugin name or version header on update-core.php
  • Cross-site request forgery (CSRF) bypass via uploading a Flash file
  • Cross-site scripting (XSS) via theme name fallback
  • Post via email checks mail.example.com if default settings aren’t changed
  • A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing
  • Weak cryptographic security for multisite activation key

The release also fixes 61 bugs from version 4.7.

Your site should have been automatically updated to WordPress 4.7.1 by now if you have a default WordPress configuration. If your site has not been updated, you should upgrade at your earliest convenience.

Did you enjoy this post? Share it!

Comments

7 Comments
  • For some reason the automatic upgrade failed on my site and I can't figure out how to upgrade it manually... I am getting frustrated because it's slow and wonky now. Help, please?

    • Sorry Josh, we don't provide support here and we don't support WordPress - just our own product. I suggest you try the wordpress.org forums.

  • Thanks for this important updates and thanks for keeping us in the loop as well.

    • "In the loop" - is that a WordPress joke...? :)

  • Thank you very much for sharing this information with us.

  • Appreciate all of the updates your team sends out. "WordFence (these guys are great over there)."

  • Thanks guys, we've updated rightaway.