Severe Security Risk
If you’ve not updated your WordPress website from version 4.7 you really need to update. STAT!
The remote privilege escalation and content injection hole hits WordPress versions 4.7 and 4.7.1 and allows all pages on unpatched sites to be modified, redirecting visitors to exploits and a myriad of attacks.
WordPress slipped in the fix with version 4.7.2 but didn’t reveal it in the hope hackers would not exploit a flaw they didn’t know about. Yikes!
WordPress, the world’s most popular content management system (CMS), used on millions of websites, pushed update 4.7.2 in a patch run that shuttered SQL injection vulnerabilities.
This privilege escalation vulnerability affects the WordPress REST API that was recently added and enabled by default on WordPress 4.7.0.
One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site. Scary, indeed.
The REST API is enabled by default on all sites using WordPress 4.7.0 or 4.7.1.
If your website is on these versions of WordPress then it is currently vulnerable to this bug.