A privilege escalation vulnerability affects the WordPress REST API that was recently added and enabled by default in WordPress 4.7.0.

The thing was that anyone(meaning not logged in users) could alter posts on your site. One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a bug allows visitors to edit any post on the site.

Sucuri is the company that first discovered the issue and with WordPress and other WAF vendors and hosting companies to add protections before the vulnerability was publicly disclosed.

After the exploit was publicly released it started being actively exploited. Many WordPress sites have been found with messages like “Hacked by NG689Skw” or “Hacked by w4l3XzY3”.

Try it yourself and by Googling for information about these particular hacks and you will stull get thousands of  hacked sites in the results.

A serious vulnerability

WordPress 4.7.2 was released on January 26th 2017 and it is recommended to update immediately.

Read more about the content injection security vulnerability: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html

Comments to: WordPress Major Security Vulnerabilities fixed in version 4.7.2

    Your email address will not be published. Required fields are marked *

    Attach images - Only PNG, JPG, JPEG and GIF are supported.

    This site uses Akismet to reduce spam. Learn how your comment data is processed.