Sites still vulnerable to a severe REST API endpoint flaw in WordPress are now being targeted by attackers trying to turn a profit. The vulnerability was silently patched in the recent 4.7.2 security update. Researchers at SiteLock estimate that some 20 attackers are vying for these illicit dollars. The attackers are taking advantage of websites running on the WordPress platform that have not yet updated to the most recent version. The issue lies in the way the REST API manages access by favoring values such as GET and POST rather than existing values.
Source: https://threatpost.com/criminals-monetizing-attacks-against-unpatched-wordpress-sites/123848/