WordPress 4.7.1 Release

On January 11, 2017 WordPress released version 4.7.1. This is a SECURITY and maintenance release. This release corrects the issues listed below as per official WordPress release information.

  1. Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release. This issue was reported to PHPMailer by Dawid Golunski and Paul Buonopane.
  2. The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API. Reported by Krogsgard and Chris Jean.
  3. Cross-site scripting (XSS) via the plugin name or version header on update-core.php. Reported by Dominik Schilling of the WordPress Security Team.
  4. Cross-site request forgery (CSRF) bypass via uploading a Flash file. Reported by Abdullah Hussam.
  5. Cross-site scripting (XSS) via theme name fallback. Reported by Mehmet Ince.
  6. Post via email checks mail.example.com if default settings aren’t changed. Reported by John Blackbourn of the WordPress Security Team.
  7. A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing. Reported by Ronnie Skansing.
  8. Weak cryptographic security for multisite activation key. Reported by Jack.

Addtionally, WordPress 4.7.1 fixes 62 bugs from 4.7. For more information, see the release notes or consult the list of changes.

As stated before, this is a SECURITY release and it is strongly suggested that everyone upgrade to 4.7.1 immediately.

Thoughts on “WordPress 4.7.1 Release

  • WordPress is blocking the upload of .svg files? Is this a host setting? I have a function in my functions class to allow, but I keep getting the Sorry, this file type is not permitted for security reasons message.

  • Tim S adviced me not to downgrade my wordpress because it’s a SECURITY release but I can’t uplaod mp3 files to my site since the upgrade from 4.7 to 4.7.1. If there is any other way I can fix this problem without downgrading, that will be much appreciated Sir.

  • Noticed the latest wordpress doesn’t allow mp3 to be uploaded. Sees mp3 files as threat to wordpress security. I’m still trying to downgrade to wordpress 4.7 to keep uploading my mp3 files.

    • 4.7.1 is a security release so I would not advise to downgrade. If you do, you will be vulnerable to various new exploits.

Leave a Reply