On January 11, WordPress has released a Security and Maintenance Update and they suggest you to update immediately. As WordPress users ourselves, we strongly share their suggestion.

If your website uses WordPress as a Content Management System (CMS), you should backup your website and update WordPress Core to the latest version.

To backup your website is always important, especially before installing Core updates, so to prevent issues. Also, if your website has Plugins installed, these may not always be 100% compatible with the new version which can lead to your website becoming broken or unbrowsable.

What does WordPress 4.7.1 update fix?

Being an open source, heavily community-reliant CMS, WordPress updates are usually based on the huge amount of feedback coming from its huge user base (WordPress 4.7 has been downloaded over 17 million times).

This is a short list of the main bugs that the 4.7.1 update fixes, along with a brief explanation:

  • Remote code execution (RCE) in PHPMailer.
    PHPMailer is an email creation and transfer class for PHP used by many open source web-related projects such as WordPress, Drupal and Joomla!
  • The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.
    REST is an architecture style for designing networked applications.
  • Cross-site scripting (XSS) via the plugin name or version header on update-core.php.
    XSS is a kind of vulnerability used to bypass websites’ access controls.
  • Cross-site request forgery (CSRF) bypass via uploading a Flash file.
    CSRF is a type of malicious website exploit where unauthorized commands are transmitted from a user that the website trusts.
  • Cross-site scripting (XSS) via theme name fallback.
  • Post via email checks mail.example.com if default settings aren’t changed.
  • A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing.
  • Weak cryptographic security for multisite activation key.
    Multisite is a WordPress feature that enables the creation of multiple virtual sites under a single WordPress installation.

There are other 62 bugs that have been fixed. If you are interested, you can check the full Release Notes for WordPress 4.7.1 directly from their website.

Need help? Contact us!