Open-source content management system WordPress released an urgent security update last week for versions 4.7.2 and earlier and is strongly encouraging users to update immediately.
The new version (4.7.3) contains fixes to numerous security flaws that allowed for cross-site-scripting (XSS) via media file metadata (as well as video URLs in YouTube embed and taxonomy terms names) and other issues including unintended files which could be deleted by administrators using the plugin deletion functionality and control characters tricking redirect URL validation. There are also some 40 maintenance fixes to this update.
Websites that use the support automatic update feature should already be receiving the recent update but those using manual updates should consider updating to 4.7.3 now.