WordPress 4.7.3 overrides all previous versions, and the company “strongly encourages” all users to apply the update immediately.
The new version addresses:
Cross-site scripting (XSS) via media file metadata.
Control characters can trick redirect URL validation.
Unintended files can be deleted by administrators using the plugin deletion functionality.
XSS via video URL in YouTube embeds.
XSS via taxonomy term names.
Cross-site request forgery (CSRF) in the Press This module leading to excessive use of server resources.
Version 4.7.3 also contains 39 maintenance fixes.
On Jan. 26, WordPress released version 4.7.2, which apparently not only patched some security issues in the previous release but also created at least one of the issues addressed by the most recent release. In 4.7.2, WordPress fixed a taxonomy issue in Press This, evidently causing the CSRF problem fixed by 4.7.3.
Version 4.7.2 also patched a vulnerability that made WP_Query vulnerable to SQL injection when passing unsafe data. Though the WP core itself was not affected, WordPress developers hardened the code to prevent theme and plugin designers from accidentally causing a security hole.
WordPress 4.7.2 also patched an extremely serious unauthenticated privilege escalation vulnerability in a REST API endpoint that been introduced in version 4.7. According to WordPress core contributor Aaron D. Campbell, the vulnerability was never exploited in the wild.