In late January 2017, WordPress 4.7.2 was released, containing security patches that addressed four different vulnerabilities. Three of the vulnerabilities were disclosed at the time of the release, while WordPress privately contacted WordPress hosts with information about ways to protect users.

It was later revealed that the most critical issue of the bunch is a vulnerability in a REST API endpoint. This flaw has allowed hackers to break in to modify the content of any site running WordPress versions 4.7.0 and 4.7.1. So far, 20 hacking groups have defaced over 1.5 million web pages and thousands of websites running on these two outdated versions.

The vulnerability was discovered by Sucuri researchers, who worked with WordPress and other WAF vendors to build a fix in the 4.7.2 update. (See here for WordPress’ full disclosure.)

1.5 Million Sites Defaced Through REST API Vulnerability
Source: Threat Post

The REST API content endpoints were first introduced to WordPress 4.7.0 in December 2016. This means sites running on versions 4.7.0 and 4.7.1 must be updated to the latest WordPress version to avoid the risk of malicious content injection.

WP Engine customers need not worry as we’ve been issuing patches across the platform to upgrade installs to the next stable version. As soon as a new version of WordPress rolls out, we automatically upgrade your site for you so it contains the latest security patches. Automated security updates are part of our promise to deliver the most secure WordPress experience possible.

See here for more information on secure WordPress hosting with WP Engine.