Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

WordPress 4.7.1 Security Release with PHPMailer Fix

This entry was posted in Vulnerabilities, WordPress Security on January 13, 2017 by Mark Maunder   7 Replies

WordPress 4.7.1 was released on Wednesday. It contains 8 security fixes including a fix for the PHPMailer issue, which we reported on in late December.

While there are no known publicly available exploits for the PHPMailer issue, it is an especially high risk vulnerability. If exploited, the remote code execution (RCE) vulnerability could allow an attacker to execute malicious code on a victim’s website, ultimately taking full control of the site.

Among the other fixes included in this release is a security update to the WordPress REST API. As we reported on our blog in early December, user data for post authors was exposed by default, enabling username harvesting. Wordfence users running version 6.2.8 and later are already protected.

Details for the remaining 6 vulnerabilities:

  • Cross-site scripting (XSS) via the plugin name or version header on update-core.php
  • Cross-site request forgery (CSRF) bypass via uploading a Flash file
  • Cross-site scripting (XSS) via theme name fallback
  • Post via email checks mail.example.com if default settings aren’t changed
  • A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing
  • Weak cryptographic security for multisite activation key

The release also fixes 61 bugs from version 4.7.

Your site should have been automatically updated to WordPress 4.7.1 by now if you have a default WordPress configuration. If your site has not been updated, you should upgrade at your earliest convenience.

Did you enjoy this post? Share it!

4.50 (20 votes) Your rating:

7 Comments on "WordPress 4.7.1 Security Release with PHPMailer Fix"

Josh Popichak January 13, 2017 at 9:53 am • Reply

For some reason the automatic upgrade failed on my site and I can't figure out how to upgrade it manually... I am getting frustrated because it's slow and wonky now. Help, please?

Mark Maunder January 13, 2017 at 11:20 am • Reply

Sorry Josh, we don't provide support here and we don't support WordPress - just our own product. I suggest you try the wordpress.org forums.

James Taiwo January 13, 2017 at 10:30 am • Reply

Thanks for this important updates and thanks for keeping us in the loop as well.

John January 14, 2017 at 9:30 am • Reply

"In the loop" - is that a WordPress joke...? :)

Muhammad Imran Nazish January 13, 2017 at 12:03 pm • Reply

Thank you very much for sharing this information with us.

John Colascione January 13, 2017 at 4:28 pm • Reply

Appreciate all of the updates your team sends out. "WordFence (these guys are great over there)."

pl80 January 20, 2017 at 1:42 am • Reply

Thanks guys, we've updated rightaway.

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.