Developers with WordPress fixed three security issues this week, including a cross-site scripting and a SQL injection vulnerability, with the latest version of the CMS.
The update, 4.7.2, was pushed Thursday, only two weeks after developers released the previous version.
Aaron Campbell, a WordPress core contributor, announced the update – a security release – on WordPress’ blog.
One of the issues, the SQL injection, affected WordPress’ WP_Query, a class used to access variables, checks and functions coded into the WordPress core. Mohammad Jangda, a web developer at Automattic – WordPress’ parent company – discovered the class is vulnerable when passing unsafe data. While the issue didn’t affect the WordPress core, Campbell writes that WordPress added hardening to prevent plugins and themes from causing further vulnerabilities.