WordPress 4.7.2 Security Release

February 3, 2017

Summary

WordPress has fixed several critical flaws in its content management system, addressing cross-site scripting and sql injection bugs, along with a severe privilege escalation / content injection vulnerability. [1]

Impact

The content injection vulnerability could allow an attacker to modify the content of any WordPress post or page.  This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site, including the installation of malicious content or the defacement of web pages.  Depending on the plugins enabled on the site, PHP code could be executed by the attacker. [2]

Successful exploitation of cross-site scripting and sql injection attacks could allow an attacker to inject malicious code into a website. 

Vulnerable

  • WordPress versions 4.7.1 and all previous versions.

Recommendations

  • Upgrade to WordPress version 4.7.2 immediately.  [1]

References

[1]  https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
[2]  https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
[3]  http://www.theregister.co.uk/2017/02/02/last_weeks_boring_sqli_wordpress_patch_hid_fix_for_godmode_zero_day/