WordPress is known by some as a platform with a host of security vulnerabilities and bloat in the software. However, they have an immense platform with over 12.4 billion user pages and 73.9 million new posts per month.
Last Wednesday, WordPress version 4.7.1 was launched. Within this update, the WordPress team patched eight security vulnerabilities and sixty-two bugs. There have been approximately 17.8 million downloads of the version since it’s release.
This new version patched two XSS (Cross-site scripting) vulnerabilities that had been discovered in plugins. The WordPress team also fixed two Cross-site request forgery vulnerabilities and multiple others listed below.
- Remote code execution (RCE) in PHPMailer
- The REST API exposed user data for all users who had authored a post of a public posttype. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.
- Cross-site scripting (XSS) via the plugin name or version header on update-core.php.
- Cross-site request forgery (CSRF) bypass via uploading a Flash file.
- Cross-site scripting (XSS) via theme name fallback.
- Post via email checks mail.example.com if default settings aren’t changed.
- A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing.
- Weak cryptographic security for multisite activation key.
Based on a report by Sucuri.net — a website security firm — WordPress is by far the most compromised CMS application. Although, the compromises are often due to improper deployment, configuration, and overall maintenance by webmasters.