1、Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release.

2、The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.

3、Cross-site scripting (XSS) via the plugin name or version header on update-core.php.

4、Cross-site request forgery (CSRF) bypass via uploading a Flash file.

5、Cross-site scripting (XSS) via theme name fallback.

6、Post via email checks mail.example.com if default settings aren't changed.

7、A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing.

8、Weak cryptographic security for multisite activation key.


本文出处:老蒋部落 » WordPress4.7.1升级版本发布且更新多个安全问题 | 欢迎分享( 公众号:老蒋朋友圈 )

公众号 「老蒋朋友圈」获取站长新知 / 加QQ群 【1012423279】获取商家优惠推送