If you have not already updated your WordPress websites to WordPress 4.7.2, you need to do so immediately.
While three security vulnerabilities were disclosed in the original WordPress 4.7.2 security release post last week, a disclosure of additional security fix in WordPress 4.7.2 was announced yesterday.
In this security disclosure, an Unauthenticated Privilege Escalation Vulnerability in a REST API Endpoint vulnerability was disclosed to exist in WordPress 4.7 and 4.7.1. This vulnerability allows attackers to bypass standard WordPress security measures in order to change content. Because of the significance of this vulnerability, we strongly recommend you update your WordPress websites to WordPress 4.7.2 as quickly as possible.
Note: We tested and found that websites using our iThemes Security plugin with the WordPress Tweaks > REST API feature set to “Restricted Access” (as recommended) are protected against the vulnerability, but it is still important to update as there are other vulnerabilities that were fixed in the WordPress 4.7.2 update.
Updating to WordPress 4.7.2
While WordPress 4.7.2 was released as an autoupdate, confirm your sites have been updated successfully. You’ll find the WordPress 4.7.2 update available from your WordPress dashboard. Visit the Updates page by clicking the icon in the top navigation bar. As always, it’s a good idea to run a WordPress backup before updating.
You can also save time updating all your WordPress websites at once from the iThemes Sync dashboard. You’ll see the 4.7.2 update available as a core update.