Let me begin by saying: Patch your sites. Now.
WordPress issued a patch last week that effectively patches an undisclosed exploit in versions 4.7 and 4.7.1. This was announced to major security firms like SiteLock, Cloudflare and Incapsula but none of these firms reported live attacks (yet).
That’s likely because WordPress has yet to disclose the details of the actual vulnerability.
Typically this wouldn’t be a big deal — WordPress issues monthly patches to the Open-Source CMS without issue. However, this exploit would allow for an unauthenticated attacker (so they don’t need to login to exploit the site) to change the content of any post or page on a victim’s site. There are some pretty heavy security implications there as that would inevitably allow the attacker to infect the users of these WordPress sites.
WordPress comes with auto-update turned on by default now but most developers turn this off as it can break integrations with the plugins. This means that companies have to keep up-to-date with patching their installs.
Those that fall behind and don’t pay attention to these security alerts open themselves to some serious issues if exploited.
For those of you who want the technical details, check out their official announcement here: https://make.wordpress.org/core/2017/02/01/disclosure-of-additional-security-fix-in-wordpress-4-7-2/