hundreds-of-thousands-of-wordpress-sites-defaced-through-rest-api-vulnerability.jpg
Chris O'Brien February 07, 2017 A 2 minute read

Hundreds of Thousands of WordPress Sites Defaced through REST API Vulnerability

At the end of January, WordPress 4.7.2 was released to fix four security issues, three of which were disclosed at the time of the release. The fourth and most critical issue, an unauthenticated privilege escalation vulnerability in a REST API endpoint, was fixed silently and disclosed a week after the release. This vulnerability allows anyone with the right know-how to edit the content of your site without needing a valid username and password.

Contributors on the release opted to delay disclosure in order to mitigate the potential for mass exploitation, given that any site running 4.7 or 4.7.1 is at risk.

“We believe transparency is in the public’s best interest,” WordPress Core Security Team Lead Aaron Campbell said. “It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites.”

If you haven’t updated to WordPress 4.7.2 you are at risk of content injection.

The defacement campaigns are going strong and increasing by the day, but we believe that it will slow down in the next few days. What we expect to see is a lot more SEO spam (Search Engine Poisoning) attempts moving forward. There’s already a few exploit attempts that try to add spam images and content to a post.

WordPress worked with Sucuri, the company that discovered the issue, along with other web application firewall (WAF) vendors and hosting companies to add protections before the vulnerability was publicly disclosed.

“We are currently tracking four different hacking (defacement) groups doing mass scans and exploits attempts across the internet.” said Daniel Cid, Founder & CTO of Sucuri, “The defacement campaigns are going strong and increasing by the day, but we believe that it will slow down in the next few days. What we expect to see is a lot more SEO spam (Search Engine Poisoning) attempts moving forward. ”

If you haven’t yet updated to 4.7.2 and your site is running 4.7.0 or 4.7.1, you are at risk for content injection. For most sites that have been defaced, the simplest solution is to update to the latest version of WordPress and rollback the defaced post(s) to a revision.