As you might remember, we recently blogged about a critical Content Injection Vulnerability in WordPress which allowed attackers to deface vulnerable websites. While our original disclosure only described one vulnerability, we actually reported two to the WordPress team. As it turns out, it was possible to leverage the content injection issue to achieve a stored cross-site scripting attack. This issue was patched in WordPress 4.7.3.
Are You at Risk?
This vulnerability has been present in WordPress for quite a while, well before 4.7.
Continue reading Stored XSS in WordPress Core at Sucuri Blog.