The recently patched WordPress REST API Endpoint vulnerability is the gift that keeps on giving. Researchers at Sucuri disclosed details on how it could be leveraged to pull off a stored cross-site scripting attack. The stored XSS bug was patched last week in the WordPress core when the version 4.7.3 security update was released. An attacker who defaced a website using an exploit for the REST API vulnerability could also have stored malicious JavaScript on the site that could be triggered later. The issue was not patched until the release of the update to version 47.2 and 4.3.
Source: https://threatpost.com/wordpress-rest-api-bug-could-be-used-in-stored-xss-attacks/124294/