Just over a month after the first WordPress 4.7 release, new incremental update debuts fixing 62 bugs, including a security flaw in the popular PHPMailer email library that was first publicly reported in December 2016.
WordPress 4.7.1 was officially released on Jan. 11, providing users of the popular open-source content management system with an incremental update fixing 62 bugs and 8 security issues.
The WordPress 4.7.1 update follows the release of WordPress 4.7 codenamed ‘Vaughan’ that debuted on Dec. 6, 2016. Just over a month since its release, WordPress 4.7 has over 16 million downloads, according to WordPress.
Those millions of users began to receive notifications yesterday that their sites were being updated. Since the WordPress 3.7 release in October 2013, the open-source CMS has provided its users with an automatic updating system for incremental releases.
The most noteworthy security fix in the WordPress 4.7.1 update is for a vulnerability that isn’t actually within WordPress’ own code, but rather in open-source code from the PHPMailer library. PHPMailer is an email creation and transfer library for PHP that is used by WordPress.
The PHPMailer vulnerability is a Remote Code Execution (RCE) identified as CVE-2016-10033, that was first publicly reported by security researcher Dawid Golunski on Dec. 25, 2016.
“Research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve emote arbitrary code execution in the context of the web server user and remotely compromise the target web application,” Golunski wrote in his disclosure.
The PHPMailer open-source project issued an update for the CVE-10033 vulnerability on Dec. 24, 2016, though it turned out to not fully fix the issue. As a result, Golunski was still able to bypass PHPMailer’s patch in a vulnerability identified as CVE-2016-10045, which in turn was patched by the PHPMailer 5.2.20 release on Dec. 28, 2016.
As to why WordPress did not update sooner for the PHPMailer issue, it’s simply due to the fact that WordPress developers didn’t see the vulnerability as directly being able to impact WordPress.
“Presently, WordPress Core (and as a result, anything utilising wp_mail()) are unaffected by the recent disclosures, the vulnerabilities require the usage of a PHPMailer feature which WordPress and wp_mail() does not use,” WordPress Lead Developer, Dion Hulse wrote in a comment on the bug tracker for the flaw.
The WordPress 4.7.1 release notes, “no specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release.”
In addition to the PHPMailer update, there was an information leakage flaw with the REST API that could have potentially exposed user data. The WordPress 4.7.1 update also provides patches for two different Cross-Site Scripting (XSS) vulnerabilities as well as a pair of Cross-Site Request Forgery (CSRF) flaws.
The other two security issues fixed in the WordPress 4.7.1 update including a configuration change in how the CMS allows users to post a story via email and a fix for a weak cryptographic security used to activate a multi-site deployment of WordPress.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.