WordPress has released an update that has patched three security flaws in the CMS including a cross-site scripting (XSS) vulnerability, and an SQL Injection problem which could lead to infection as the ability to access taxonomy information even if the user did not have permission to do so.
These vulnerabilities affect all versions of WordPress below the latest (4.7.2). The bug was first reported by David Herrerra of Alley Interactive which reveals taxonomy terms in the “Press This” function — used to publish posts through browsers — to users that do not have permission to see it.
The second vulnerability was found by Mo Jangda a security researcher. The vulnerability was found in the WP_Query process and its used to get access to variables and functions in the WordPress Core. The issue lied in the way the system was passing data as this process made the system vulnerable to SQL Injection attacks.
This is the second point release of WordPress 4.7 and this release followed a previous release just two weeks earlier (4.7.1) which fixed eight problems that could have led to remote attacks including, XSS vulnerabilities, and a remote code execution bug in PHPMailer, as well as a cross-site request forgery flaw.
WordPress users are urged to download the latest version of WordPress manually or by clicking the update now button within the CMS. Automatic updates are also being rolled out to websites and hosts that support this feature.