WordPress 4.7.2 fixed the issue, but it was a “silent patch”. The fix was hidden within other issues in order to give everyone time to patch their systems.
At the time of 4.7.2’s release details of the flaw were kept secret, as the security community raced to ensure that as many sites were protected as possible as Aaron Campbell explained in a WordPress blog post.
Sounds like a rather nasty flaw, so it’s understandable that a “silent patch” was applied.
UPDATE: More detailed information available here.