(352) 397-2705

WordPress Releases 4.7.1 Security Release and Update

Jan 16, 2017 | News, Security, WordPress

WordPress-Security-Release

Last Wednesday, WordPress released version 4.7.1 of their software. Most WordPress websites were auto-updated since this is a security fix that targeted eight security bugs, including a fix for the PHP mailer issue that they announced last month.

The PHP mailer issue was an especially high-risk vulnerability, despite no publically known possible exploits as of yet. Had it been exploited, it could have allowed an attacker to execute malicious code on the victim’s website, enabling it to take full control of the site.

The security release also fixed the WordPress REST API issue, which allowed user data for post authors to be exposed by default, leaving them open to username harvesting. This bug did not affect WordFence, our preferred security software of choice, users running version 6.2.8 or later, as they were already protected.

Other fixes in this update included:

  • Cross-site scripting (XSS) via theme name fallback
  • Post via email checks mail.example.com if default settings aren’t changed
  • A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing
  • Weak cryptographic security for multisite activation key
  • Cross-site request forgery (CSRF) bypass via uploading a Flash file
  • Cross-site scripting (XSS) via the plugin name or version header on update-core.php

This update also fixed 61 other bugs from version 4.7.

If your site didn’t auto-update for some reason, you should upgrade it at your earliest convenience, or contact us for a price to do the update for you. Be sure to backup your website, as always, before doing the update.

nora-signature

Nora Kramer
Follow Me

Want to work with me?

I would love to talk with you and see if we are a good fit for each other on a project! Please schedule a call to get started.

Click To Call