A new security issue has been found in the PHPMailer used to send emails from your WordPress site.
UPDATE 1/10/17 – The developer of the PHPMailer code has patched it for this vulnerability.
As reported in Tips Tuesday for Jan 10 2016, WordPress will not be creating a patch for it.
So hosts are now applying the patch directly from the developer.
You may get an email from your host reporting that they are taking this action.
UPDATE 1/11/17 – and the very next day WordPress rolled out 4.7.1, stating there was still no issue in the code, but just to be sure, they updated it anyway.
Following is a brief on the situation and what you need to do.
You may get an email from your host about this if they have active security scanners.
It will take a WordPress update to fix it and they are already working on that. If you have auto updates turned on (unless you changed code to turn it off) the WP security update will be auto installed for you.
If you use a plugin for email from your site, (like one with SMTP and an outside service) it will not be affected by this exploit.
Also, a hacker would have to get control of the sending address (yours) to be able to actually run the exploit. So, that’s probably never going to happen.
What You Should Do
If you haven’t updated to WP 4.7, you may want to do that now. I don’t know if a security patch will be available for WP 4.6 or not, but usually when something like this happens so close to a major release date, they do patch for both. If you’ve already updated to WP 4.7, just sit tight and let the WordPress auto update take care of this for you.
Here’s a link with more info from WordFence.
There is also a post on Hacker News, but I’m not sure they are keeping it as up to date as WordFence.