WordPress 4.7.2 was released on Thursday and users are strongly encouraged to upgrade immediately.
The release upgrades all previous versions of the free and open-source content management system (CMS) reportedly used by 60 million websites.
Three security issues are addressed with the patch, according to the release note.
First, the user interface for assigning taxonomy terms in "Press This" is shown to users who do not have permissions to use it.
Second, a flaw that could allow an SQL injection when passing unsafe data is patched in WP_Query
. While the core is not directly vulnerable, the organization said it bolstered the element to "prevent plugins and themes from accidentally causing a vulnerability."
The third fix addresses a cross-site scripting (XSS) vulnerability that was detected in the posts list table.
WordPress users who set up their preferences to accept security updates automatically received emailed notification of the upgrade. Other users are urged to apply the update quickly by heading over to Dashboard/Updates and clicking “Update Now.”