Sucuri Identifies Content Injection Vulnerability in WordPress
Sucuri identified a content injection vulnerability in WordPress V4.7 which resulted in thousands of websites being defaced. Rather than announce to the world and have it further exploited they advised WordPress who fixed in version 4.7.2. In fixing it WordPress did not then announce the security patch but rather left it out of the release notes to gives large WordPress host a heads up to get sites patched.
Publicly announced by Sucuri on Feb 1, stating it was a content problem, they later advised attempts were being made to execute remote commands which is always a concern for any sites hosting eCommerce.
This vulnerability applies to WordPress Version 4.7 installs and is fixed in version 4.7.2 on January 26, 2017 ahead of the Sucuri announcements. If you have not yet upgrade you should do so immediately.
To prevent such events happening to your site we highly recommend adding a security plugin such as the All In One Security plugin to your site and configuring as tightly as possible to prevent code modification.