WordPress 4.7 has actually been downloaded over 10 million times considering that its launch on December 6, 2016 and also we delight in to reveal the instant accessibility of WordPress 4.7.1. This is a safety and security launch for all previous variations and also we highly motivate you to upgrade your websites right away.
WordPress variations 4.7 and also earlier are impacted by 8 safety and security problems:
- Remote code implementation (RCE) in PHPMailer– No certain problem shows up to influence WordPress or any one of the significant plugins we checked out however, out of a wealth of care, we upgraded PHPMailer in this launch. This problem was taken care of in PHPMailer many thanks to Dawid Golunski and also Paul Buonopane.
- The REMAINDER API revealed individual information for all individuals that had actually authored a message of a public blog post kind. WordPress 4.7.1 limitations this to just upload kinds which have actually defined that they need to be revealed within the REMAINDER API. Reported by Krogsgard and also Chris Jean.
- Cross-site scripting (XSS) through the plugin name or variation header on
update-core. phpReported by Dominik Schilling of the WordPress Safety And Security Group.
- Cross-site demand bogus (CSRF) bypass through submitting a Flash data. Reported by Abdullah Hussam
- Cross-site scripting (XSS) through motif name contingency. Reported by Mehmet Ince
- Article through e-mail checks
mail.example.comif default setups aren’t transformed. Reported by John Blackbourn of the WordPress Safety And Security Group.
- A cross-site demand bogus (CSRF) was uncovered in the availability setting of widget editing and enhancing. Reported by Ronnie Skansing
- Weak cryptographic safety and security for multisite activation secret. Reported by Jack.
Thanks to the press reporters for exercising responsible disclosure.
Download WordPress 4.7.1 or endeavor over to Control panel → Updates and also merely click “Update Currently.” Websites that sustain automated history updates are currently starting to upgrade to WordPress 4.7.1.
Many thanks to everybody that added to 4.7.1: Aaron D. Campbell, Aaron Jorbin, Adam Silverstein, Andrea Fercia, Andrew Ozz, bonger, Boone Gorges, Chandra Patel, Christian Chung, David Herrera, David Shanske, Dion Hulse, Dominik Schilling (ocean90), DreamOn11, Edwin Cromley, Ella van Dorpe, Gary Pendergast, Hristo Pandjarov, James Nylen, Jeff Bowen, Jeremy Felt, Jeremy Pry, Joe Hoyle, Joe McGill, John Blackbourn, Keanan Koppenhaver, Konstantin Obenland, laurelfulford, Marin Atanasov, mattyrob, monikarao, Nate Reist, Nick Halsey, Nikhil Chavan, nullvariable, Payton Swick, Peter Wilson, Presskopp, Rachel Baker, Ryan McCue, Sanket Parmar, Sebastian Pisula, sfpt, shazahm1, Stanimir Stoyanov, Steven Word, szaqal21, timph, voldemortensen, vortfu, and also Weston Ruter.