This privilege escalation vulnerability affects the WordPress REST API that was recently added and enabled by default on WordPress 4.7.0.<p>So basically people who updated religiously were hit, and those who did not, were fine.<p>I am left wondering if running wordpress sites in read-only state (both files and database) should be the only reasonably safe method.<p>A lot of people run the files with php ownership (so they could update via /wp-admin, or they just don't care) which opens the site to be exploited by any vuln plugin/theme<p>But now it looks like even running proper permissions (NOT www-data) on files is no longer enough, and we should consider mysql in read-only state when no editing is happening...<p>VERY SAD.