Back
Threat caution!

WordPress REST API vulnerability makes a tremendous impact on thousands of websites

WordPress REST API got it’s first nasty kick. Latest WordPress security release rolled out on January 26, 2017 (WordPress version 4.7.2). At first, changelog claimed that WordPress Security Release 4.7.2 fixes only three issues.

  1. Weak authentication and session management when users without required permissions can access Press This function and assign taxonomy terms. This issue reported by David Herrera of Alley Interactive.
  2. WP_Query vulnerable to possible SQL injection. In this case, WordPress core isn’t vulnerable on its own. This update eliminates threats possibly caused by insecure WordPress plugins and themes. This vulnerability was reported by Mo Jangda (batmoo).
  3. Post list table cross-site scripting (XSS) vulnerability was discovered and reported by Ian Dunn of the WordPress Security Team.

For almost one week these three fixes were available on the description of WordPress Security release 4.7.2, but later it was appended with the fourth fix. The fourth fix involved WordPress REST API vulnerability.

WordPress REST API vulnerability

Reported by Marc-Alexandre Montpas of Sucuri Security team WordPress REST API vulnerability was kept in secret for a while. Disclosure of WordPress REST API vulnerability delayed on purpose. Just to give WordPress users and hosting providers enough time to update as much as possible WordPress websites. Millions of websites were updated manually or by the automatic WordPress update service. Anyway, after disclosure of this vulnerability information, thousands of websites were defaced. Keep in mind that your site is under real threat if your WordPress version is 4.7.1 or older. We highly recommend you to update such websites as soon as possible.

A significant amount of defaced WordPress sites is just one side of the coin. On another side, there are way bigger threats to websites that use PHP code execution plugins like Insert PHP or PHP Code Widget. These plugins allow you to execute PHP code in posts, pages or even widgets. The combination of discovered WordPress REST API vulnerability and PHP execution plugins may lead to much bigger exploitation of the website.

The main reason for this huge amount of defacing attacks is that people do not care enough about their site security. After the introduction of automatic WordPress update service it’s easier to prevent even bigger attacks, but still, there are a lot of websites that runs on older WordPress versions with automatic update service turned off. Also, some of the hosting providers do not put any effort to alert or even force users to make updates on time. Such events hit the reputation of WordPress quite hard. Let’s hope owners of the hacked websites will fix their sites and will learn some website maintenance habits for the future.

Darius S.

Similar Posts

Coinhive closing

Coinhive closes – hackers will lose their favorite tool of exploitation

Coinhive development team published a blog post about the discontinuation of Coinhive system. Yes, the same Coinhive that we talked about ...

Cyber Kill Chain - WordPress security perspective

Cyber Kill Chain and how to protect WordPress against all its steps

Cyber Kill Chain is a term defined by the Lockheed-Martin Corporation scientists to describe the chain of steps needed for intrusion into ...

CIA triad - information security

CIA triad in the WordPress and WooCommerce security perspective

CIA triad is an abbreviation for confidentiality, integrity, and availability. The CIA triad is considered to be the basis for all ...

Leave a Reply

Your email address will not be published. Required fields are marked *