WordPress 4.7.1 Updates for PHPMailer Flaw | eWeek

WordPress 4.7.1 Updates for 8 Security Issues

WordPress 4.7.1
Jan 12, 2017
2 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

WordPress 4.7.1 was officially released on Jan. 11, providing users of the popular open-source content management system with an incremental update fixing 62 bugs and 8 security issues.

The WordPress 4.7.1 update follows the release of WordPress 4.7 codenamed ‘Vaughan’ that debuted on Dec. 6, 2016. Just over a month since its release, WordPress 4.7 has over 16 million downloads, according to WordPress.

Those millions of users began to receive notifications yesterday that their sites were being updated. Since the WordPress 3.7 release in October 2013, the open-source CMS has provided its users with an automatic updating system for incremental releases.

The most noteworthy security fix in the WordPress 4.7.1 update is for a vulnerability that isn’t actually within WordPress’ own code, but rather in open-source code from the PHPMailer library. PHPMailer is an email creation and transfer library for PHP that is used by WordPress.

The PHPMailer vulnerability is a Remote Code Execution (RCE) identified as CVE-2016-10033, that was first publicly reported by security researcher Dawid Golunski on Dec. 25, 2016.

“Research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve emote arbitrary code execution in the context of the web server user and remotely compromise the target web application,” Golunski wrote in his disclosure.

The PHPMailer open-source project issued an update for the CVE-10033 vulnerability on Dec. 24, 2016, though it turned out to not fully fix the issue. As a result, Golunski was still able to bypass PHPMailer’s patch in a vulnerability identified as CVE-2016-10045, which in turn was patched by the PHPMailer 5.2.20 release on Dec. 28, 2016.

As to why WordPress did not update sooner for the PHPMailer issue, it’s simply due to the fact that WordPress developers didn’t see the vulnerability as directly being able to impact WordPress.

“Presently, WordPress Core (and as a result, anything utilising wp_mail()) are unaffected by the recent disclosures, the vulnerabilities require the usage of a PHPMailer feature which WordPress and wp_mail() does not use,” WordPress Lead Developer, Dion Hulse wrote in a comment on the bug tracker for the flaw.

The WordPress 4.7.1 release notes, “no specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release.”

In addition to the PHPMailer update, there was an information leakage flaw with the REST API that could have potentially exposed user data. The WordPress 4.7.1 update also provides patches for two different Cross-Site Scripting (XSS) vulnerabilities as well as a pair of Cross-Site Request Forgery (CSRF) flaws.

The other two security issues fixed in the WordPress 4.7.1 update including a configuration change in how the CMS allows users to post a story via email and a fix for a weak cryptographic security used to activate a multi-site deployment of WordPress.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.