WordPress 4.7.2 was released on 26 January 2017. This release fixed an unannounced zero-day vulnerability in the WordPress REST API. Yet, thousands of WordPress sites are still vulnerable to this attack. One of the REST endpoints allows remote access to WordPress posts with permission to view, edit, delete, and create new posts. Depending on plugins installed on the hacked site, attackers could even execute PHP code. This is a serious vulnerability, but it has been fixed.
Unfortunately, according to Sucuri, two weeks after the update sites are still being defaced by exploits using this vulnerability. I did a Google search this morning for the blame line from one version of the exploit and the search returned over 150,000 results. If you own or manage WordPress websites, go right now and make sure they have all been updated to WordPress 4.7.2.