WordPress 4.7.1 Security Release with PHPMailer Fix
WordPress 4.7.1 was released on Wednesday. It contains 8 security fixes including a fix for the PHPMailer issue, which we reported on in late December.
While there are no known publicly available exploits for the PHPMailer issue, it is an especially high risk vulnerability. If exploited, the remote code execution (RCE) vulnerability could allow an attacker to execute malicious code on a victim’s website, ultimately taking full control of the site.
Among the other fixes included in this release is a security update to the WordPress REST API. As we reported on our blog in early December, user data for post authors was exposed by default, enabling username harvesting. Wordfence users running version 6.2.8 and later are already protected.
Details for the remaining 6 vulnerabilities:
- Cross-site scripting (XSS) via the plugin name or version header on
- Cross-site request forgery (CSRF) bypass via uploading a Flash file
- Cross-site scripting (XSS) via theme name fallback
- Post via email checks
mail.example.comif default settings aren’t changed
- A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing
- Weak cryptographic security for multisite activation key
The release also fixes 61 bugs from version 4.7.
Your site should have been automatically updated to WordPress 4.7.1 by now if you have a default WordPress configuration. If your site has not been updated, you should upgrade at your earliest convenience.