WordPress 4.7.2: How a serious security flaw showed the strength of the community
WordPress recently patched three security flaws before disclosing a bug in the WordPress REST API that created vulnerability for hackers to gain remote privilege to modify sites and inject bugs.
What have I been doing the last couple weeks? Working hard to keep ~27% of the Internet safe – https://t.co/5xwCOnXPRf— Aaron D. Campbell (@aaroncampbell) February 1, 2017
The vulnerability was discovered during a research project for Sucuri Firewall (WAF), which included an audit of multiple open source projects looking for security issues.
The unauthenticated privilege escalation vulnerability in a REST API endpoint is a flaw that could let hackers change the content of any post or page on a victim’s site, add plugin-specific shortcodes to exploit vulnerabilities, infect the site content with an SEO spam campaign, or inject ads. But don’t worry, because if you have applied WordPress patch 4.7.2, the vulnerability is no longer present.
After reporting the vulnerability, Sucuri added rules to their Web Application Firewal (WAF) to block exploit attempts against their clients, and other companies such as SiteLock, Cloudflare and Incapsula were made aware, to protect WordPress users and check for exploit attempts.
As the WordPress Security Team worked to test and refine the fix, they privately contacted WordPress hosts to inform them of the vulnerability in order to safeguard users.
The team intentionally delayed the public disclosure of the vulnerability by one week to give time for automatic updates to run and to avoid in order the potential for mass exploitation, ensuring the safety of millions of WordPress sites.
Sucuri posted a blog about the severe content injection vulnerability after it was resolved, but they aren’t the only ones talking about it. Gratitude for Sucuri’s responsible disclosure is pouring in from the WordPress community, including acknowledgment from fellow security companies who were among the first group notified of the vulnerability.
Sucuri have continued to monitor attacks and have reported seeing a large number of remote command execution attempts to exploit the WordPress REST API vulnerability.
The attackers are targeting plugins including the Insert PHP, Exec-PHP and similar installed plugins, which allow users to insert PHP code directly into the posts to make customizations easier. Coupled with this vulnerability, it allows the attackers to execute PHP code when injecting their content into the database. Sucuri recommends disabling these plugins.
This serious vulnerability showed more than a temporary weakness in the REST API. It also showed the strength of the WordPress community, who worked together to mitigate threat, combining their efforts to protect all WordPress users.