WordPress versions 4.7.1 and earlier are vulnerable by three security issues
by CIRT Team
- The user interface for assigning taxonomy terms in Press is shown to users who do not have permissions to use it.
- WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue.
- A cross-site scripting (XSS) vulnerability was discovered in the posts list table.
- An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint
Impact: Intruder can take control of the web system by exploiting above mention vulnerabilities.
Mitigation: Vendor has released new version (WordPress 4.7.2.).