So when there is a security flaw in its system , it affects millions of users on the Internet . Sucuri found Vulnerability-related.DiscoverVulnerability a Content Injection or Privilege Escalation vulnerability affecting the REST API allowing an attacker to modify the content of any post or page within a WordPress site . However , there is good news since Sucuri discretely reported Vulnerability-related.DiscoverVulnerability the vulnerability to WordPress security team who handled the matter professionally and informed as many security providers and hosts and implemented a patch Vulnerability-related.PatchVulnerability before this became public . In their blog post , Marc Alexandre Montpas from Sucuri stated Vulnerability-related.DiscoverVulnerability that “ This privilege escalation vulnerability affects Vulnerability-related.DiscoverVulnerability the WordPress REST API that was recently added and enabled by default on WordPress 4.7.0 . One of these REST endpoints allows access ( via the API ) to view , edit , delete and create posts . Within this particular endpoint , a subtle bug allows visitors to edit any post on the site . The REST API is enabled by default on all sites using WordPress 4.7.0 or 4.7.1 . We are hiding some technical details to make it harder for the bad guys , but depending on the plugins installed on a site , it can lead to a RCE ( remote command execution ) . Also , even though the content is passed through wp_kses , there are ways to inject Javascript and HTML through it