Craig Small <csmall@debian.org> uploaded new packages for wordpress
which fixed the following security problems:

CVE-2016-10066, CVE-2016-10045
  Potential Remote Command Execution (RCE) in PHPMailer
CVE-2017-5488
  Authenticated Cross-Site scripting (XSS) in update-core.php
CVE-2017-5490
  Stored Cross-Site Scripting (XSS) via Theme Name fallback
CVE-2017-5491
  Post via Email Checks mail.example.com by Default
CVE-2017-5492
  Accessibility Mode Cross-Site Request Forgery (CSRF)
CVE-2017-5493
  Cryptographically Weak Pseudo-Random Number Generator
CVE-2017-5487
  User Information Disclosure via REST API - API doesn't exist
CVE-2017-5489
  Cross-Site Request Forgery (CSRF) via Flash Upload

For the jessie-backports distribution the problems have been fixed in
version 4.7.1+dfsg-1~bpo8+1