As a fan of this blog, you know our number one area of expertise is online security, specifically WordPress. On January 11th, WordPress released and made available WordPress 4.7.1. This is a security release for all previous versions and we strongly encourage you to update your WordPress website(s) immediately.
According to their blog, “WordPress versions 4.7 and earlier are affected by eight security issues:
- Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release. This issue was fixed in PHPMailer.
- The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.
- Cross-site scripting (XSS) via the plugin name or version header on
- Cross-site request forgery (CSRF) bypass via uploading a Flash file.
- Cross-site scripting (XSS) via theme name fallback.
- Post via email checks
mail.example.comif default settings aren’t changed.
- A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing.
- Weak cryptographic security for multisite activation key.
At this time, our professional security team strongly recommends that you update to this new version immediately. Be sure to perform a full backup prior to updating.
We can help you upgrade your WordPress!
If you’re unsure how to effectively upgrade your site to the latest WordPress version or do not have time to do so, let us put your mind at ease. Our WordPress Security Experts will upgrade your WordPress blog for you!