WordPress 4.7.1 has launched, and the release notes reveal that it patches 8 security flaws and another 62 issues.
This Wednesday saw the release of WordPress’ latest version, which the team categorized as a security edition for every version before 4.7.1, the number of the latest rendition of this CMS. The release notes accompanying the launch of the updated version of the software explain that it fixes 62 issues along with 8 security vulnerabilities.
The WordPress team stated that the 4.7 version of the CMS was downloaded more than 10 million times since it was made available on the 6th of December, 2016.
Thus, one such fix involved patching an RCE or remote code execution flaw – monitored under number CVE-2016-10033 – by updating the PHPMailer library. A core developer at WordPress, Aaron D. Campbell explained that there wasn’t any particular problem affecting the platform itself or any of the plugins they looked into, but they preferred to be abundantly cautious and update the PHPMailer in the new release.
Two experts, namely Chris Jean and Brian Krogsgard, found that any users who had written a public-post-type post had all their data exposed by the REST API.
The new rendition of the CMS also deals with two XSS or cross-site scripting flaws that showed up in plugins.
The advisory states that one XSS flaw was discovered by Dominik Schilling, who is a member of WordPress’ security team, and could be an issue through the name of the plugin or the header featuring the version on update-core.php.
The other XSS problem was found in the “theme name fallback” and was found thanks to Mehmet Ince.
Some of the other problems addressed included two CSRF or cross-site request forgery flaws. Thus, the ability to bypass CSRF through the upload of a Flash file was found thanks to Abdullah Hussam, while the CSRF issue present when one edits widgets in accessibility mode was uncovered by Ronnie Skansing.
Experts said that the CSRF theme issue Abdullah Hussam discovered is vulnerable to exploitation when a specially created Flash file is used. The other issue that Ronnie Skansing reported has an impact on the widget-editing feature when it is done in accessibility mode.
The new WordPress version also addresses another flaw revealed by a blogger who goes solely by Jack. Thus, poor security of the cryptography related to the activation key for multiple sites was dealt with.
John Blackbourn, another member of WordPress’ security team, identified another issue, namely that if default settings aren’t modified, the post-through-email system automatically looks at mail.example.com.
The advisory explains that sites with the auto background updating feature enabled have already begun to update to WordPress 4.7.1. For those without this feature, they will have to either download and install the new version or just go to their Dashboard and click on Updates, then Update Now.
Sucuri, a security company, recently issued a report stating that WordPress is still the CMS that gets hacked the most. According to Pierluigi Paganini, of the 44,705 WordPress plugins that are available, over 8,800 of them have vulnerabilities.
Paganini explained that RIPS Technologies looked at the WordPress plugins directory – the official one – and examined 44,705 plugins. The result was that more than 8,800 of them have problems.