WordPress has released version 4.7.1. This is a security and maintenance release. We suggest that you upgrade as soon as possible. There were eight security issues resolved.
- Remote code execution (RCE) in PHPMailer
- The REST API exposed user data for all users who had authored a post of a public post type
- Cross-site scripting (XSS) via the plugin name or version header on update-core.php
- Cross-site request forgery (CSRF) bypass via uploading a Flash file
- Cross-site scripting (XSS) via theme name fallback
- Post via email checks mail.example.com if default settings aren’t changed.
- A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing
- Weak cryptographic security for multisite activation key.
Full details can be found on the WordPress 4.7.1 release announcement.