2017-02-03 05:00:00

Closed

WordPress versions 4.7.0 and 4.7.1 are vulnerable to an exploit that is easily run remotely and allows privilege escalation to unauthorized users. Sites hosted via the CU Blogs service are NOT at risk (they're on version 4.7.2, which isn't vulnerable.)

WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

This privilege escalation vulnerability affects the WordPress REST API that was recently added and enabled by default on WordPress 4.7.0. One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site. The REST API is enabled by default on all sites using WordPress 4.7.0 or 4.7.1. If your website is on these versions of WordPress then it is currently vulnerable to this bug. Sites hosted via the CU Blogs service are NOT at risk (they're on version 4.7.2, which isn't vulnerable.) More details: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/