Vulnerability was discovered by researchers from web security firm Sucuri and was reported privately to the WordPress team on January 20. It’s located in the platform’s REST API (application programming interface) and allows unauthenticated attackers to modify the content of any post or page within a WordPress site. The vulnerability only affects WordPress 4.7.7 and 4.1, where the REST API is enabled by default. Older versions are not affected, even if they have the API plug-in. Developers say they intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites.”]