WordPress 4.7.2 patches a major security vulnerability

Wordpress security update

What if any unauthenticated site visitor can modify the content of any post or page on your site. It feels daunting and means your site is under a huge security risk. You could have been scared if you knew this issue before. But it is a great news for the WordPress users that WordPress 4.7.2 fixes this major bug along with several others. That’s why you must ensure upgrading your WordPress site to the latest 4.7.2 version. Also, don’t forget to take a full website backup before starting the update.

Although this update should be applied automatically by the WordPress system, still you should check your dashboard to avoid risks.

What were the threats?

A few security issues were taken into consideration after being reported by the users and contributors to WordPress. But the good news is, they can no more pose any threat to your site once your instance gets updated to WordPress 4.7.2. Let us take a look at the threats.

  1. Unauthenticated users had the chance to see the user interface for assigning taxonomy terms in Press This.
  2. WP_Query was pretty vulnerable to SQL injection (SQLi) while passing unsafe data.
  3. Cross-Site-Scripting vulnerability in the post lists table.
  4. An unauthenticated privilege escalation vulnerability in a REST API endpoint. One of these REST endpoints (a subtle bug) allowed access (via the API) to view, edit, delete and create posts within this particular endpoint.

The fourth one was not a threat to your site before 4.7.0. Because of enabling default Rest API in the version 4.7.0 and 4.7.1, It posed a threat.

How to address these issues?

As the list includes four different security issues, you might be wondering what to do to fix all of these. No worries. Just update your site to 4.7.2 and your security issues are fixed automatically as all fixes are made in this version.

NB: if you have not updated your site yet, we recommend you to do that right away click here Download WordPress 4.7.2  or update from your site back-end

Leave a Reply