I just had a look at the details of the bug. It was found in the new REST API that Wordpress enabled by default for the first time in 4.7.0
When I read the patchnotes for 4.7.0 I sighed inwardly at having a new API which I had no interest in using currently, enabled by default and I looked for a way to turn it off. It seemed that there was no easy way to disable it and the documentation I found cautioned against doing so anyway as the API is apparently used by unspecified core routines
Here's a quote from someone on StackOverflow:
"The REST API is not really a security issue, but I suppose some could surface in the future. It's much more important to look at Hardening WordPress - WordPress Codex and Brute Force Attacks - WordPress Codex
As of WordPress 4.7, the filter provided in core for disabling the REST API (via functions.php) was removed because the API is in core now. There is no official option to disable the API as some core functionality depends on it. So if you disable the API, you may see breakage because by default the API core and is available for use by themes and plugins and other sites."
(I bet the author of that reply feels pretty stupid about that first sentence now!)
The whole thing is just an accident waiting to happen. I shall look again at ways to turn off this unwanted API.