This post is applicable for hosted wordpress installations where auto-updates are disabled.
Yesterday, I noticed there was blog post “Hacked by Unknown” on Askdba blog.
Post was written by White Hat Hacker who exploited the Content injection vulnerability in 4.7.0 and 4.7.1. This vulnerability allows any visitor (unauthorized user) to assume role to edit/create blog posts Since auto-updates were disabled , security patches had to be applied manually.
I had disabled auto-updates as it had broken my WordPress installation. But I have enabled it now and would recommend all to ensure that they upgrade their installations manually or enable auto-updates .
In case auto-updates were disabled, you can enable auto-updates by removing following line from wp-config.php
define( ‘WP_AUTO_UPDATE_CORE’, false );
More details regarding this vulnerability can be found here