Updating to the 8.7.5 is very important given that attackers could leverage the vulnerability by visiting an URL and no registration or authentication level is required to abuse the impacted websites. Luckily, an exploit for this vulnerability is not yet available, however, in the event that one will be developed most sites running on Drupal 8.7.4 will be exposed to attacks given that "default or common module configurations are exploitable."
Just finished patching mine as Softaculous released the patch yesterday.
#security Drupal Patches Critical Bug That Lets Hackers Take Over Sites
The Drupal CMS team has released a security update to address a critical severity access bypass vulnerability in the CMS' core component that could allow attackers to take control of impacted sites.