On January 26, WordPress released a security update (4.7.2) to fix a set of vulnerabilities on its platform, including an SQLi and XSS vulnerability. They recommended that this version be installed immediately for security reasons. What they did not disclose was that a serious vulnerability existed in their REST API endpoint, which was introduced in the 4.7 version; however, this was fixed in version 4.7.2.
WordPress released a blog post on February 1 that revealed the endpoint vulnerability. The announcement was initially delayed because they needed to inform security companies about the vulnerability, as well as help them build rules to block these attacks. This would prevent the numerous attacks that typically follow a disclosure. Kudos to the WordPress team for taking immediate action on a serious issue.