WordPress < 4.7.1 Multiple Vulnerabilities

Versions of WordPress prior to 4.7.1 are affected by multiple vulnerabilities :

• A flaw exists in the ‘wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php’ script that is triggered when making a request to the ‘wp-json/wp/v2/users’ API endpoint, that may expose user data for users who have authored public posts. This may allow a remote attacker to disclose potentially sensitive user data. (CVE-2017-5487)
• A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the ‘wp-admin/update-core.php’ script does not validate input to the plugin name or version header before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. (CVE-2017-5488)
• A flaw exists that is triggered during the handling of a specially crafted uploaded flash file. This may allow a context-dependent attacker to bypass CSRF protection mechanisms and potentially conduct a CSRF attack. (CVE-2017-5489)
• A flaw exists that allows a XSS attack. This flaw exists because the ‘wp-includes/class-wp-theme.php’ script does not validate input when handling theme name fallback before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. (CVE-2017-5490)
• A flaw exists in the ‘wp-mail.php’ script that is triggered when post via email checks mail.example.com in the default settings. This may allow an attacker to spoof the mail server and bypass restrictions. (CVE-2017-5491)
• A flaw exists related to the accessibility mode of widget editing as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF/XSRF) attack causing the victim to edit widgets. (CVE-2017-5492)
• A flaw exists in the ‘wp-includes/ms-functions.php’ script that is due to the use of weak cryptographic security for multisite activation keys. No further details have been provided by the vendor. (CVE-2017-5493)