Jan 19, 2017
Just over a month ago, WordPress came up with the all new version i.e. WordPress 4.7 which not only eliminated the 62 bugs from the core codes but also resolved the security flaw in the popular PHPMailer Email Library that was first publicly reported in the November 2016. Recently, WordPress launched the v4.7.1 on Jan 11, providing users of this widely trusted open-source CMS system with an incremental update of fixing all the bugs and 8 security issues.
In case you are not that tech-savvy then you can take off the WordPress developer who will help you shift to the latest version and will also install all the patch files. The WP’s v4.7.1 update follows the release of v4.7 which is codenamed “Vaughan” that debuted on 6th Dec 2016. Within just one month, v4.7 has over 16 million downloads and the number is rising day by day. After the release of v3.7, WordPress provided automatic updating system so that users don’t have to get into the hassle of doing everything manually.
The major security fix in the WP 4.7.1 update is a vulnerability that isn’t actually within the WordPress’s own code but rather in the open-source script from the PHPMailer library. The PHPMailer is an email creation and transfer library for PHP that is used by WordPress. It is an error in Remote Code Execution (RCE) which is identified as CVE-2016-10033, that was first reported by the users in Dec 2016.
Although, PHPMailer issued an update for the CVE-10033 error on Dec 24, 2016, but it was not capable of fixing that issue. As a result, millions of websites were not able to send Emails to their customers and clients. Once this issue was reported, the PHPMailer instantly released the patch for this vulnerability. Now the question arises is that why WordPress was not able to update sooner for the PHPMailer issue. Well, the WP developers didn’t saw this issue directly affecting the WordPress’s core functionality so they were less bothered by this problem.
After the release of v4.7.1, the WP remains unaffected by the recent technical lags and the platform has become more safe and secure. According to the v4.7.1 installation notes”no specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release.”
Apart from the PHPMailer update, another loophole was reported in the information leakage with the REST API that could have potentially exposed the user’s personal and financial data. This latest version of WordPress also offers the patch for two separate Cross-Site Scripting (XSS) vulnerabilities as well as the pair of Cross-Site Request Forgery (CSRF) flaws.
The other two security issues fixed in the WordPress v4.7.1 update includes a configuration change in how the CMS allows users to post a story via email and a fix for a weak cryptographic security used to activate a multi-site deployment of WordPress.
In this article, you will read about some security updates that come with the latest version of WordPress i.e. v4.7.1.