{"id":4650,"date":"2017-01-11T03:53:57","date_gmt":"2017-01-11T03:53:57","guid":{"rendered":"https:\/\/wordpress.org\/news\/?p=4650"},"modified":"2022-11-18T22:53:15","modified_gmt":"2022-11-18T22:53:15","slug":"wordpress-4-7-1-security-and-maintenance-release","status":"publish","type":"post","link":"https:\/\/wordpress.org\/news\/2017\/01\/wordpress-4-7-1-security-and-maintenance-release\/","title":{"rendered":"WordPress 4.7.1 Security and Maintenance Release"},"content":{"rendered":"<p>WordPress 4.7 has been\u00a0<a href=\"https:\/\/wordpress.org\/download\/counter\/\">downloaded over 10 million times<\/a>\u00a0since its release on December 6, 2016\u00a0and we are pleased to announce the immediate availability of WordPress 4.7.1. This is a <strong>security release<\/strong> for all previous versions and we strongly encourage you to update your sites immediately.<\/p>\n<p>WordPress versions 4.7 and earlier are affected by eight security issues:<\/p>\n<ol>\n<li>Remote code execution (RCE) in PHPMailer &#8211; <em>No specific issue appears to affect WordPress<\/em> or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release. This issue was fixed in PHPMailer thanks to <a href=\"https:\/\/legalhackers.com\/\">Dawid Golunski<\/a> and <a href=\"https:\/\/twitter.com\/Zenexer\">Paul Buonopane<\/a>.<\/li>\n<li>The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only\u00a0post types which have specified that they should be shown\u00a0within the REST API. Reported by <a href=\"https:\/\/poststatus.com\/\">Krogsgard<\/a> and <a href=\"https:\/\/ithemes.com\/\">Chris Jean<\/a>.<\/li>\n<li>Cross-site scripting (XSS) via the plugin name or version header on <code>update-core.php<\/code>.\u00a0Reported by\u00a0<a href=\"https:\/\/dominikschilling.de\/\">Dominik Schilling<\/a>\u00a0of the WordPress Security Team.<\/li>\n<li>Cross-site request forgery (CSRF) bypass via uploading a Flash file. Reported by\u00a0<a href=\"https:\/\/twitter.com\/Abdulahhusam\">Abdullah Hussam<\/a>.<\/li>\n<li>Cross-site scripting (XSS) via theme name fallback. Reported by\u00a0<a href=\"https:\/\/pentest.blog\/\">Mehmet Ince<\/a>.<\/li>\n<li>Post via email checks <code>mail.example.com<\/code>\u00a0if default settings aren&#8217;t changed. Reported by John Blackbourn of the WordPress Security Team.<\/li>\n<li>A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing. Reported by\u00a0<a href=\"https:\/\/dk.linkedin.com\/in\/ronni-skansing-36143b65\">Ronnie Skansing<\/a>.<\/li>\n<li>Weak cryptographic security for multisite activation key. Reported by <a href=\"https:\/\/itsjack.cc\/\">Jack<\/a>.<\/li>\n<\/ol>\n<p>Thank you to the\u00a0reporters for practicing <a href=\"https:\/\/make.wordpress.org\/core\/handbook\/testing\/reporting-security-vulnerabilities\/\">responsible disclosure<\/a>.<\/p>\n<p>In addition to the security issues above, WordPress 4.7.1 fixes 62\u00a0bugs from 4.7.\u00a0For more information, see the <a href=\"https:\/\/codex.wordpress.org\/Version_4.7.1\">release notes<\/a>\u00a0or consult the <a href=\"https:\/\/core.trac.wordpress.org\/query?milestone=4.7.1\">list of changes<\/a>.<\/p>\n<p><a href=\"https:\/\/wordpress.org\/download\/\">Download WordPress 4.7.1<\/a>\u00a0or venture over to Dashboard \u2192 Updates and simply click \u201cUpdate Now.\u201d Sites that support automatic background updates are already beginning to update to WordPress 4.7.1.<\/p>\n<p>Thanks to everyone who contributed to 4.7.1: <a href=\"https:\/\/profiles.wordpress.org\/aaroncampbell\/\">Aaron D. Campbell<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/jorbin\/\">Aaron Jorbin<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/adamsilverstein\/\">Adam Silverstein<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/afercia\/\">Andrea Fercia<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/azaozz\/\">Andrew Ozz<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/gitlost\/\">bonger<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/boonebgorges\/\">Boone Gorges<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/chandrapatel\/\">Chandra Patel<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/christian1012\/\">Christian Chung<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/dlh\/\">David Herrera<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/dshanske\/\">David Shanske<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/dd32\/\">Dion Hulse<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/ocean90\/\">Dominik Schilling (ocean90)<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/dreamon11\/\">DreamOn11<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/chopinbach\/\">Edwin Cromley<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/iseulde\/\">Ella van Dorpe<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/pento\/\">Gary Pendergast<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/hristo-sg\/\">Hristo Pandjarov<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/jnylen0\/\">James Nylen<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/jblz\/\">Jeff Bowen<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/jeremyfelt\/\">Jeremy Felt<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/jpry\/\">Jeremy Pry<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/joehoyle\/\">Joe Hoyle<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/joemcgill\/\">Joe McGill<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/johnbillion\/\">John Blackbourn<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/kkoppenhaver\/\">Keanan Koppenhaver<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/obenland\/\">Konstantin Obenland<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/laurelfulford\/\">laurelfulford<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/tyxla\/\">Marin Atanasov<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/mattyrob\/\">mattyrob<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/monikarao\/\">monikarao<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/natereist\/\">Nate Reist<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/celloexpressions\/\">Nick Halsey<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/nikschavan\/\">Nikhil Chavan<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/nullvariable\/\">nullvariable<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/sirbrillig\/\">Payton Swick<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/peterwilsoncc\/\">Peter Wilson<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/presskopp\/\">Presskopp<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/rachelbaker\/\">Rachel Baker<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/rmccue\/\">Ryan McCue<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/sanketparmar\/\">Sanket Parmar<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/sebastianpisula\/\">Sebastian Pisula<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/sfpt\/\">sfpt<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/shazahm1hotmailcom\/\">shazahm1<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/sstoqnov\/\">Stanimir Stoyanov<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/stevenkword\/\">Steven Word<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/szaqal21\/\">szaqal21<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/timph\/\">timph<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/voldemortensen\/\">voldemortensen<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/vortfu\/\">vortfu<\/a>, and <a href=\"https:\/\/profiles.wordpress.org\/westonruter\/\">Weston Ruter<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>WordPress 4.7 has been\u00a0downloaded over 10 million times\u00a0since its release on December 6, 2016\u00a0and we are pleased to announce the immediate availability of WordPress 4.7.1. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.7 and earlier are affected by eight security issues: [&hellip;]<\/p>\n","protected":false},"author":140668,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"episode_type":"","audio_file":"","cover_image":"","cover_image_id":"","duration":"","filesize":"","date_recorded":"","explicit":"","block":"","filesize_raw":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[14,15],"tags":[189,437],"class_list":["post-4650","post","type-post","status-publish","format-standard","hentry","category-releases","category-security","tag-4-7","tag-minor-releases"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pZhYe-1d0","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts\/4650","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/users\/140668"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/comments?post=4650"}],"version-history":[{"count":21,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts\/4650\/revisions"}],"predecessor-version":[{"id":4675,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts\/4650\/revisions\/4675"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/media?parent=4650"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/categories?post=4650"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/tags?post=4650"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}