If you have not already updated your WordPress website to version 4.7.2, you need to do so immediately!
Although there were three security fixes disclosed in the original WordPress 4.7.2 Security Release posted last week, an additional security fix was disclosed on February 1st. This additional security disclosure, an Unauthenticated Privilege Escalation Vulnerability in a REST API Endpoint vulnerability, was announced to exist in both WordPress 4.7 and 4.7.1 -- earlier versions of WordPress are apparently not vulnerable.
This vulnerability allows attackers to bypass standard WordPress security measures in order to change content, so if you haven't already, we strongly recommend you update WordPress 4.7.2 right now!
The good news is, if your WordPress site was set to install security updates automatically, it has likely already updated.
Updating to WordPress 4.7.2
Although WordPress 4.7.2 was released as an auto-update, double-check that your site has actually done so. If it hasn't, you'll find the WordPress 4.7.2 update still available from the Updates page of your WordPress dashboard. Get to the Updates page by clicking on Dashboard, then Updates. Of course, I strongly recommend taking a backup of your WordPress site before performing any updates.
About the Disclosure
In mid-January, security researchers at Sucuri discovered this vulnerability and alerted WordPress.org. The WordPress security team immediately began working on a solution, and in parallel worked with Sucuri and other companies with Web Application Firewalls (WAFs) to create a set of rules that would protect users until the permanent fix had been developed. This permanent fix was added to the, then upcoming, WordPress 4.7.2 release.
On January 26th, WordPress released 4.7.2 and it went out over the auto-update system. WordPress continued to hold back the public disclosure of this particular vulnerability for about a week provide an opportunity for websites not using auto-update the chance to be updated before the vulnerability was made public, which they did on February 1st.