A privilege escalation vulnerability affects the WordPress REST API that was recently added and enabled by default in WordPress 4.7.0.

One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a bug allows visitors to edit any post on the site.

WordPress collaborated with Sucuri (the company that discovered the issue) and other WAF vendors and hosting companies to add protections before the vulnerability was publicly disclosed.

After the exploit was publicly released it started being actively exploited. Many WordPress sites have been found with messages like “Hacked by NG689Skw” or “Hacked by w4l3XzY3”. Googling for information about these particular hacks returns thousands of other hacked sites in the results.

This is a serious vulnerability

WordPress 4.7.2 was released on January 26th 2017 and it is recommended to update immediately.

Read more about the content injection security vulnerability: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html

Do you like SeventhQueen's articles? Follow on social!
No Comments
Comments to: WordPress Security Vulnerabilities fixed in version 4.7.2

    Your email address will not be published. Required fields are marked *

    Attach images - Only PNG, JPG, JPEG and GIF are supported.

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Privacy Preference Center

    Functionality

    We use third-party analytics services to help understand your usage of our services. In particular, we provide a limited amount of your information (such as sign-up date and some personal information like your email address) to 3rd party service and utilize it to collect data for analytics purposes when you visit our website or use our product.

    __cfduid,intercom-id-*, intercom-lou-*, intercom-lou-*, intercom-session-*, intercom-session-*, intercom-visitor-session-*

    Performance

    These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.

    All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

    _ga, _gat_gtag_UA_106868094_1, _gid
    IDE
    AID
    NID,1P_JAR

    Advertising

    Necessary

    These cookies are necessary for the website to function and cannot be turned off. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.

    You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

    PHPSESSID, wordpress_logged_in_*, wordpress_sec_*, wp-settings-time-1, gdpr[privacy_bar], gdpr[allowed_cookies], gdpr[consent_types]