WordPress 4.7.2 Security Release

Thursday, January 26, 2017

WordPress 4.7.2 is now available. This is asecurity releasefor all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.1 and earlier are affected by threesecurity issues:

  1. The user interface for assigning taxonomy terms in Press This is shown to users who do not havepermissions to use it. Reported by David Herrera ofAlley Interactive.
  2. WP_Queryis vulnerable to a SQL injection (SQLi) when passing unsafedata. WordPress core is not directly vulnerable to this issue, but weve added hardening to prevent plugins and themes from accidentally causing a vulnerability.Reported byMo Jangda(batmoo).
  3. A cross-site scripting (XSS) vulnerability was discovered in the posts list table. Reported byIan Dunnof the WordPress Security Team.
  4. An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint. Reported byMarc-Alexandre Montpasof Sucuri Security. *

Thank you to the reporters of these issues for practicingresponsible disclosure.

Download WordPress 4.7.2or venture over to Dashboard ? Updates and simply click Update Now. Sites that support automatic background updates are already beginning to update to WordPress 4.7.2.

Thanks to everyone who contributed to 4.7.2.

* Update: An additional serious vulnerability was fixed in this release and public disclosure was delayed. For more information on this vulnerability, additional mitigation steps taken, and an explanation for why disclosure was delayed, please readDisclosure of Additional Security Fix in WordPress 4.7.2.