Last Wednesday, WordPress released version 4.7.1 of their software. Most WordPress websites were auto-updated since this is a security fix that targeted eight security bugs, including a fix for the PHP mailer issue that they announced last month.
The PHP mailer issue was an especially high-risk vulnerability, despite no publically known possible exploits as of yet. Had it been exploited, it could have allowed an attacker to execute malicious code on the victim’s website, enabling it to take full control of the site.
The security release also fixed the WordPress REST API issue, which allowed user data for post authors to be exposed by default, leaving them open to username harvesting. This bug did not affect WordFence, our preferred security software of choice, users running version 6.2.8 or later, as they were already protected.
Other fixes in this update included:
- Cross-site scripting (XSS) via theme name fallback
- Post via email checks mail.example.com if default settings aren’t changed
- A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing
- Weak cryptographic security for multisite activation key
- Cross-site request forgery (CSRF) bypass via uploading a Flash file
- Cross-site scripting (XSS) via the plugin name or version header on update-core.php
This update also fixed 61 other bugs from version 4.7.
If your site didn’t auto-update for some reason, you should upgrade it at your earliest convenience, or contact us for a price to do the update for you. Be sure to backup your website, as always, before doing the update.