In WordPress admin backend or Dashboard area, the following security alert popup may be displayed and shown prominently on the top of the page:

SECURITY ALERT: Insecure WordPress version detected. Your site is running WordPress version 4.7.4, which has 1 known security vulnerabilities. You should upgrade WordPress as soon as possible. More Information

The More Information links to a page on WPScan Vulnerability Database at domain.

The “security alert” warning message is a legit message prompted by WP-SpamShield plugin. WP-SpamShield periodically checks the WPScan Vulnerability Database for any known WordPress security exploits and vulnerabilities, and if the site’s WordPress version has any known vulnerability, the plugin will display the “security alert” warning message to the admin.

Currently, WordPress version 4.7.4 has a Zero-Day Exploit related to host header injection in password reset that has not been patched. The vulnerability was recently discovered and exists in all versions of WordPress including the latest version. The vulnerability does not affect system that is properly configured, i.e. system that does not allow requests with faked Host header requests, and ensures that $_SERVER[‘SERVER_NAME’] does not get overwritten by a user-supplied header. Before the vulnerability is fixed on WordPress core, there are several mitigation methods that you could take to nullify the exploit on this post.