The vulnerability was patched in WordPress v4.7.2 two weeks ago, but millions of sites haven't yet updated. This leaves them open to a vulnerability in the WordPress REST API, which can allow malicious actors to edit any post on a site.
Ars Technica has a very