WordPress Security and Maintenance Release 4.7.2 is now available on WordPress.org site. This release patches several vulnerabilities found in WordPress core. This update is relevant to all older WordPress versions. As always, we recommend not to ignore WordPress Security and Maintenance updates and update your sites as soon as possible.
WordPress Security release 4.7.2 key points
- Press This function user interface for assigning taxonomy terms is shown to users who do not have permissions to use it. This vulnerability found and reported by David Herrera of Alley Interactive.
- WP_Query suffers from SQL injection (SQLi) vulnerability when passing unsafe data. In this case, WordPress core is not vulnerable on its own. It was patched just to prevent WordPress plugins and themes from accidental vulnerability triggering. This issue was found and reported by Mo Jangda (batmoo).
- Post list table vulnerable to a cross-site scripting (XSS) and the vulnerability found and reported by Ian Dunn (WordPress Security Team).
- An unauthenticated privilege escalation vulnerability in a REST API endpoint. Issue discovered and reported by Marc-Alexandre Montpas (Sucuri).
WordPress Security and Maintenance Release 4.7.2 caused a great resonance because of delayed update information disclosure. Upon the release of update details, many websites with outdated WordPress versions have experienced various attacks, and some of them were successful.