WordPress 4.7 was released towards the end of last year and brought with it a host of new features, including a new default theme, theme starter content, and REST API content endpoints.

As is usually the case with a major new WordPress version, WordPress 4.7 was closely followed by a minor release with bugfixes. WordPress 4.7.1 also includes a number of fixes for potentially serious vulnerabilities. WordPress users should update at their earliest convenience to ensure that their sites are safe.

The headline vulnerability is one that has caused serious problems for a number of PHP-based applications, but which left WordPress largely unscathed. PHPMailer is an email library used on millions of servers — in fact, it’s billed as the most popular email sending library in the world and almost every major PHP application that includes email functionality uses it, including Drupal, Joomla!, and WordPress.

Late last year it was discovered that PHPMailer contained a serious remote code execution vulnerability. I want to emphasize that there’s no evidence this vulnerability is being (or could be) actively used against WordPress sites. Major plugins have been checked and they’re unaffected too.

Nevertheless, it’s never a good idea to leave known vulnerabilities in play; it’s entirely possible that less-popular plugins aren’t so resilient, so a speedy update is the best course of action.

The vulnerability had the potential to allow anyone to remotely execute code on a server by sending an email. PHPMailer did not properly sanitize input and passed some parts of emails to the shell without making any code it contained inert. By embedding shell script in the sender field of an email, an attacker could cause it to be executed on the server.

In addition to the PHPMailer problem, several other vulnerabilities were fixed, including a couple of cross-site scripting vulnerabilities. Cross-site scripting vulnerabilities could allow an attacker to embed JavaScript code within a web page. When a user opens the page, the code is executed and has access to session information for that user, including their authentication cookie. If an admin user runs the code, the attacker may be able to take control of the site.

Finally, WordPress 4.7.1 fixes a information leak problem with the REST API.

If your site has automatic updates turned on, you don’t have to do anything — minor updates are applied automatically. But if you have automatic updates turned off, be sure to manually update to the most recent version of WordPress.

Posted in:
Security, WordPress