UPDATE! Another Security Vulnerability which is much more important has been announced by Sucuri. A fix was rolled in and many who have updated to WordPress 4.7.2 have been protected by it’s affect
3 Security Vulnerabilities have been found and fixed with version 4.7.2 of WordPress regarding SQL injection, Cross-site Scripting, and a permissions issue. Specifically, these are the issues.
- Cross-site scripting (XSS) vulnerability discovered in the posts list table. Reported by Ian Dunn of the WordPress Security Team (8731)
- WP_Query is vulnerable to SQL Injection when passing unsafe data. WordPress Core is not directly vulnerable, but Core has been hardened to prevent plugins from accidently causing the vulnerability. Reported by Mo Jangda. (8730)
- UI for assigning taxonomy terms in “Press This” exposed to users without permission. Reported by David Herrera of Alley Interactive. (8729)
In addition to these originally announced fixes, WordPress 4.7.2 also included the following fix:
- Unauthenticated Privilege Escalation Vulnerability in a REST API Endpoint was an issue that existed in 4.7 and 4.7.1. It was reported by Marc-Alexandre Montpas of Sucuri. Additionally, rules were put in place at Sucuri, CloudFlare, SiteLock, and Incapsula to ensure their users would not be affected.
It is strongly suggested that you update your version of WordPress to 4.7.2. If you have not updated to 4.7.1, it is strongly updated to the latest version of WordPress as 4.7.1 fixed 8 additional severe vulnerabilities.
You can download WordPress 4.7.2, or, if your WordPress host allows, you can login to your dashboard and “Update Now”. Those hosted on Pantheon can update via the Development dashboard, and promote your upstream fix through the different environments.
As always, if you have need of assistance, you can contact us, as we are always available to assist with your WordPress, Drupal, and other needs.
UPDATED with links to WPScan Vulnerability Database. No CVE numbers as of this time. Included is the UPEV Sucuri fix.