WordPress 4.7.1 fixes 8 security vulnerabilities and 62 bugs [Quick Guide]

4:35 pm January 13, 201713474

WordPress 4.7 for been downloaded more than 10 million times since its release on December 6, 2016 and WordPress 4.7.1 is now available since January 12, 2017.

This minor version update is a version of security for all previous versions and we strongly encourage you to upgrade all of your sites immediately.


WordPress 4.7 and earlier versions are affected by 8 security vulnerabilities:

  1. Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, year out of abundance of caution, we updated PHPMailer in this release. This issue was reported to PHPMailer by Dawid Golunski and Paul Buonopane .
  2. The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API. Reported by Krogsgard and Chris Jean .
  3. Cross-site scripting (XSS) via the plugin name Gold version header we update – core.php. Reported by Dominik Schilling of the WordPress Security Team.
  4. Cross-site request forgery (CSRF) bypass via uploading a Flash file. Reported by Abdullah Hussam .
  5. Cross-site scripting (XSS) via theme name fallback. Reported by Mehmet Ince .
  6. Post via email checks if default settings aren’t changed mail.example.com. Reported by John Blackbourn of the WordPress Security Team.
  7. A cross-site request forgery (CSRF) was discovered in the accessibility of widget editing mode. Reported by Ronnie Skansing.
  8. Weak cryptographic security for multisite activation key. Reported by Jack .

in addition to above – mentioned security issues , WordPress 4.7.1 fixes 62 bugs of the 4.7 For more information, see the release notes or consult the list of changes .

source: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/