Last week WordPress released Vulnerability-related.PatchVulnerability the newest version ( 4.7.2 ) of the popular CMS , ostensibly fixing Vulnerability-related.PatchVulnerability three security issues affecting versions 4.7.1 and earlier . What the WordPress team didn ’ t share at that time is that the update also secretly fixes Vulnerability-related.PatchVulnerability a bug that allows unauthenticated users to modify the content of any post or page within a WordPress site . The vulnerability was discovered Vulnerability-related.DiscoverVulnerability by Sucuri researcher Marc-Alexandre Montpas and responsibly disclosed Vulnerability-related.DiscoverVulnerability to the WordPress security team on January 20 . A fix was soon created Vulnerability-related.PatchVulnerability , tested , and included in the security update pushed out Vulnerability-related.PatchVulnerability on January 26 . The team reached out to makers of web application firewalls ( WAFs ) like SiteLock , Cloudflare , and Incapsula to help them create rules that would block exploitation attempts . WordPress hosts have also been privately told Vulnerability-related.DiscoverVulnerability of the flaw , and they quietly moved to protect their users . “ By Wednesday afternoon , most of the hosts we worked with had protections in place . Data from all four WAFs [ this includes Sucuri ’ s ] and WordPress hosts showed Vulnerability-related.DiscoverVulnerability no indication that the vulnerability had been exploited Vulnerability-related.DiscoverVulnerability in the wild , ” the WP security team disclosed Vulnerability-related.DiscoverVulnerability on Wednesday . “ As a result , we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public ” . Within a couple of hours of the release of the update Vulnerability-related.PatchVulnerability , WordPress users who have opted for the automatic WP update option had the WP 4.7.2 installed and were protected . The unauthenticated privilege escalation vulnerability in question affects Vulnerability-related.DiscoverVulnerability the REST API , which was added and enabled by default on WordPress 4.7.0