A Release Candidate for WordPress 4.7.1 is now available. This security and maintenance release fixes 62 issues reported against 4.7 and is scheduled for final release on Wednesday, January 11, 2017. Note this does not address a number of other issues, which are slated for a 4.7.2 release.

Thus far WordPress 4.7 has been downloaded over 9 million times since its release on December 6, 2016. Please help us by testing this release candidate to ensure 4.7.1 fixes the reported issues and doesn’t introduce any new ones. As always, the entire WordPress project is grateful to security reporters for practicing responsible disclosure.

PHPMailer Update

Last month a security vulnerability (CVE 20016-10033) in the PHPMailer library was made public. WordPress uses this library as the basis for its email functionality. The Security Team has spent some time analysing this vulnerability, and how it applies to WordPress. This vulnerability does not appear to be directly exploitable in WordPress CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress., or any major plugins in the pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party directory. The wp_mail() function, which WordPress Core and most plugins use for sending email, blocks this vulnerability from being exploited.

All Changes

Here’s a list of all closed tickets, sorted by component:

Bootstrap/Load

• #39132 – WP 4.7, object-cache.php breaks the site if APC is not enabled in php

Build/Test Tools

• #39327 – Database connection errors in unit tests on 4.7

Bundled Theme

• #39138 – wordpress 4.7 default theme does not get installed when upgrading
• #39272 – Twenty Seventeen: Incorrect $content_width
• #39302 – Twenty Seventeen: Featured imageFeatured image A featured image is the main image used on your blog archive page and is pulled when the post or page is shared on social media. The image can be used to display in widget areas on your site or in a summary list of posts. not displayed on single template
• #39335 – Twenty Seventeen: customize-controls.js incorrectly assumes theme_options section is always present
• #39109 – Twenty Seventeen: starter content array needs a filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output.
• #39489 – Twenty Seventeen: Bump version and update changelog

Charset

• #37982 – 4.6.1 Breaks apostrophes in titles and utf-8 characters

Comments

• #39280 – comment permalink wrong in WordPress 4.7
• #39380 – wp_update_comment can cause database error with new filter

Customize

• #39009 – CustomizerCustomizer Tool built into WordPress core that hooks into most modern themes. You can use it to preview and modify many of your site’s appearance settings.: the preview UIUI User interface language should be the user language
• #39098 – Customize: Clicking on child elements of preview links fails to abort navigation to non-previewable links
• #39100 – Customize: Edit shortcuts do not work if page hasn’t been saved and published
• #39101 – Customize: edit shortcuts for custom menu widgets do not work
• #39102 – Customize: Shift-click on placeholder nav menu items fails to focus on the nav menu item control
• #39103 – Customize: menus aren’t deleted
• #39104 – Customize: starter content home menu item needs to be a link, not a page
• #39125 – Customize: Video HeaderHeader The header of your site is typically the first thing people will experience. The masthead or header art located across the top of your page is part of the look and feel of your website. It can influence a visitor’s opinion about your content and you/ your organization’s brand. It may also look different on different screen sizes. YouTube field has issues when whitespace is inserted at beginning or end of URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org
• #39134 – Customize: custom CSSCSS Cascading Style Sheets. textarea is scrolled to top when pressing tab
• #39145 – custom-background URL escaped
• #39175 – Customizer assumes url is passed with replaceState and pushState
• #39194 – Invalidinvalid A resolution on the bug tracker (and generally common in software development, sometimes also notabug) that indicates the ticket is not a bug, is a support request, or is generally invalid. parameters in Custom CSS and Changeset queries
• #39198 – Customize: Apostrophes in custom CSS cause false positives for validation errors
• #39227 – Changeset parameter not generated
• #39259 – ‘custom_css_post_id’ theme mod of `-1` doesn’t prevent queries
• #39270 – Use a higher priority on wp_head for inline custom CSS
• #39349 – Customizer (mobile preview) site title extra padding
• #39444 – Text Decoration Underline removes on hover in Customizer

Editor

• #39276 – Link Editor bugbug A bug is an error or unexpected result. Performance improvements, code optimization, and are considered enhancements, not defects. After feature freeze, only bugs are dealt with, with regressions (adverse changes from the previous version) being the highest priority. – target=”_blank” not removed
• #39313 – Add New button not disappearing in Distraction-free Writing mode
• #39368 – .page-template-default body class in editor doesn’t appear in initial post/page load.

External Libraries

• #37210 – Update PHPMailer to 5.2.21

Feeds

• #39066 – `fetch_feed()` changes REST APIREST API The REST API is an acronym for the RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front end of an application (think “phone app” or “website”) can communicate with the data store (think “database” or “file system”) https://developer.wordpress.org/rest-api/. response `Content-Type`
• #39141 – RSS feeds have incorrect lastBuildDate when using alternate languages

General

• #39148 – Correct concatenated dynamic hooksHooks In WordPress theme and development, hooks are functions that can be applied to an action or a Filter in WordPress. Actions are functions performed when a certain event occurs in WordPress. Filters allow you to modify certain functions. Arguments used to hook both filters and actions look the same.
• #39433 – Update copyright year in license.txt

HTTPHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways.

• #37839 – wp_remote_get sometimes mutilates the response body
• #37991 – fsockopen logic bug
• #37992 – fsockopen hard codes port 443 when http scheme used
• #38070 – RegEx to remove double slashes affects query strings as well.
• #38226 – “cURL error 23: Failed writing body” when updating plugins or themes
• #38232 – Setting `sslverify` to false still validates the hostname

Media

• #39195 – Undefined index: extension in class-wp-image-editor-imagick.php on line 152
• #39231 – Allow the pdf fallback_intermediate_image_sizes filter to process add_image_size() sizes.
• #39250 – Undefinded Variable in Media-Modal

Posts, Post Types

• #39211 – is_page_template could return true on terms

REST API

• #38700 – REST API: Cannot send an empty or no-op comment update
• #38977 – REST API: `password` is incorrectly included in arguments to get a media item
• #39010 – REST API: Treat null and other falsy values like `false` in ‘rest_allow_anonymous_comments’
• #39042 – REST API: Allow sanitization_callback to be set to null to bypass `rest_parse_request_arg()`
• #39070 – WP-API JSJS JavaScript, a web scripting language typically executed in the browser. Often used for advanced user interfaces and behaviors. client can’t use getCategories for models returned by collections
• #39092 – REST API: Add support for filename search in media endpoint
• #39150 – Empty JSONJSON JSON, or JavaScript Object Notation, is a minimal, readable format for structuring data. It is used primarily to transmit data between a server and web application, as an alternative to XML. Payload Causes rest_invalid_json
• #39293 – WordPress REST API warnings
• #39300 – REST API Terms Controller Dynamic Filter Bug
• #39314 – WP-API Backbone Client: buildModelGetter fails to reject deferred on fetch error

TaxonomyTaxonomy A taxonomy is a way to group things together. In WordPress, some common taxonomies are category, link, tag, or post format. https://codex.wordpress.org/Taxonomies#Default_Taxonomies.

• #39215 – Support for string $args in wp_get_object_terms() broken in 4.7
• #39328 – Adding terms without AJAX strips “taxonomy” query arg

Themes

• #39246 – Theme deletion has a JS error that prevents multiple themes from being deleted.

Upgrade/Install

• #39047 – Installer tries to create nonce before options table exists
• #39057 – FTPFTP FTP is an acronym for File Transfer Protocol which is a way of moving computer files from one computer to another via the Internet. You can use software, known as a FTP client, to upload files to a server for a WordPress website. https://codex.wordpress.org/FTP_Clients. credentials form doesn’t display the SSH2 fields on the Updates screen

#4-7, #4-7-1, #maintenance, #release, #security