On 1.26.17 WordPress released the 4.7.2 Security Release. While the release has multiple security patches, one of the patches closes a vulnerability that is best described by the vendor that discovered it. This vulnerability allows both privilege escalation and content injection to modify any blog. For more info on the vulnerability, please see:
https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html

The WordPress Codex suggests the 4.6.3 Release does not have this vulnerability:
https://codex.wordpress.org/Version_4.6.3

IT Security recommends utilizing either 4.6.3 or 4.7.2.