A WordPress core maintainer said the company delayed disclosing the vulnerability, technically an unauthenticated privilege escalation vulnerability that existed in a REST API endpoint, to “ensure the safety of millions of additional WordPress sites.”

WordPress introduced REST API endpoints by default to the CMS when it pushed version 4.7 in early December 2016 to allow access to WordPress posts, comments, terms, and other settings

Marc-Alexandre Montpas, a security researcher with Sucuri found the flaw and alerted WordPress on Jan. 20.