Support » Fixing WordPress » Web hosting company reports problems due to 4.7.1 update

  • [ Moved to the Fixing WordPress sub-forum. ]

    This morning almost immediately after my three WordPress sites had been updated to 4.7.1 my webhosting company reported vulnerabilities in WP and said “should be fixed immediately”. All my sites are using WordPress Finnish version and were automatically updated from v. 4.7.

    Those vulnerabilities seem to relate directly to the following fixes in 4.7.1:

    Cross-site scripting (XSS) via the plugin name or version header on update-core.php. Reported by Dominik Schilling of the WordPress Security Team.
    webhost: XSS vulnerability in WordPress /…/wp-admin/update-core.php

    Cross-site scripting (XSS) via theme name fallback. Reported by Mehmet Ince.
    webhost: XSS vulnerability in WordPress /…/wp-includes/class-wp-theme.php

    My webhost also reported other vulnerabilities, shortly as:

    1. CSRF vulnerability in /…/wp-admin/widgets.
    2. data revealing vulnerability in /…/wp-includes/ms-functions.php
    3. data revealing vulnerability in /…/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

    On the positive side: 4.7.1 update seemed to fix the previously reported vulnerability in php-mailer.php – which I had fixed manually based on some support site code.

Viewing 4 replies - 1 through 4 (of 4 total)
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Web hosting company reports problems due to 4.7.1 update’ is closed to new replies.