Last week, WordPress released the latest version (4.7.2) of the popular platform, fixing three security vulnerabilities in version 4.7.1 and earlier.
What the WordPress team didn't tell the public is that a 0-day bag that allows hackers to remotely change or delete the content of pages on a WordPress site was also secretly fixed at the time.
The security flaw in question was discovered by Sucuri researcher Marc Alexandre Monpass. He shared his discovery with the WordPress team on January 20th, who quickly fixed the bug, tested the fix, and included it in an update released on January 26th.
However, it's not that the WordPress team didn't want to warn users that they were at risk, they wanted to keep hackers away from the service until users were protected.
A bug present in versions 4.7 and 7.7.1. allows hackers to modify all pages on unpatched sites and redirect visitors to malicious sites.
WordPress decided to wait a week before the company issued an explanation to the public and urged everyone who had not done so to download the latest version of WordPress immediately.
Source: Information
