WordPress REST API got it’s first nasty kick. Latest WordPress security release rolled out on January 26, 2017 (WordPress version 4.7.2). At first, changelog claimed that WordPress Security Release 4.7.2 fixes only three issues.
- Weak authentication and session management when users without required permissions can access Press This function and assign taxonomy terms. This issue reported by David Herrera of Alley Interactive.
- WP_Query vulnerable to possible SQL injection. In this case, WordPress core isn’t vulnerable on its own. This update eliminates threats possibly caused by insecure WordPress plugins and themes. This vulnerability was reported by Mo Jangda (batmoo).
- Post list table cross-site scripting (XSS) vulnerability was discovered and reported by Ian Dunn of the WordPress Security Team.
For almost one week these three fixes were available on the description of WordPress Security release 4.7.2, but later it was appended with the fourth fix. The fourth fix involved WordPress REST API vulnerability.
WordPress REST API vulnerability
Reported by Marc-Alexandre Montpas of Sucuri Security team WordPress REST API vulnerability was kept in secret for a while. Disclosure of WordPress REST API vulnerability delayed on purpose. Just to give WordPress users and hosting providers enough time to update as much as possible WordPress websites. Millions of websites were updated manually or by the automatic WordPress update service. Anyway, after disclosure of this vulnerability information, thousands of websites were defaced. Keep in mind that your site is under real threat if your WordPress version is 4.7.1 or older. We highly recommend you to update such websites as soon as possible.
A significant amount of defaced WordPress sites is just one side of the coin. On another side, there are way bigger threats to websites that use PHP code execution plugins like Insert PHP or PHP Code Widget. These plugins allow you to execute PHP code in posts, pages or even widgets. The combination of discovered WordPress REST API vulnerability and PHP execution plugins may lead to much bigger exploitation of the website.
The main reason for this huge amount of defacing attacks is that people do not care enough about their site security. After the introduction of automatic WordPress update service it’s easier to prevent even bigger attacks, but still, there are a lot of websites that runs on older WordPress versions with automatic update service turned off. Also, some of the hosting providers do not put any effort to alert or even force users to make updates on time. Such events hit the reputation of WordPress quite hard. Let’s hope owners of the hacked websites will fix their sites and will learn some website maintenance habits for the future.