WordPress 4.7.2, a security release for WP 4.7 “Vaughan”, has been made available for download and update. The highly recommended release cover the following security patches, as reported per the release post.
- The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it.
WP_Queryis vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability.
- A cross-site scripting (XSS) vulnerability was discovered in the posts list table.
The update can be downloaded from WordPress.org or your preferred update method/plugin.