People goes after anything that is free without thinking about any consequences. WordPress is one of the most popular and easy to handle content management system (CMS) in the world. So a small security flaw in its system does a huge damage and affects millions of users.
Security researchers at Sucuri found out that WordPress websites are vulnerable to a critical and easily exploitable zero-day Content Injection vulnerability.
The Content Injection or Privilege Escalation vulnerability affected the REST API, which allowed hackers to modify or change the content of any post or page on the WordPress website. However, the researchers immediately reported the vulnerability to WordPress security team.
Those who have still not updated their WordPress to the latest version 4.7.2, an update was released on 26 Jan, are now at a greater risk.
A security researcher, Marc-Alexandre Montpas from Sucuri wrote in his blog post that“This privilege escalation vulnerability affects the WordPress REST API that was recently added and enabled by default on WordPress 4.7.0. One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site. The REST API is enabled by default on all sites using WordPress 4.7.0 or 4.7.1. If your website is on these versions of WordPress, then it is currently vulnerable to this bug.”
He further wrote that “This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site. We are hiding some technical details to make it harder for the bad guys, but depending on the plugins installed on a site, it can lead to an RCE (remote command execution). Also, even though the content is passed through wp_kses, there are ways to inject Javascript and HTML through it. Update now!”
If you or you know anyone who still uses the old version of WordPress, it is high time for them to update their website to the latest version.
Security researchers at Sucuri found out that WordPress websites are vulnerable to a critical and easily exploitable zero-day Content Injection vulnerability.
The Content Injection or Privilege Escalation vulnerability affected the REST API, which allowed hackers to modify or change the content of any post or page on the WordPress website. However, the researchers immediately reported the vulnerability to WordPress security team.
Those who have still not updated their WordPress to the latest version 4.7.2, an update was released on 26 Jan, are now at a greater risk.
A security researcher, Marc-Alexandre Montpas from Sucuri wrote in his blog post that“This privilege escalation vulnerability affects the WordPress REST API that was recently added and enabled by default on WordPress 4.7.0. One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site. The REST API is enabled by default on all sites using WordPress 4.7.0 or 4.7.1. If your website is on these versions of WordPress, then it is currently vulnerable to this bug.”
He further wrote that “This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site. We are hiding some technical details to make it harder for the bad guys, but depending on the plugins installed on a site, it can lead to an RCE (remote command execution). Also, even though the content is passed through wp_kses, there are ways to inject Javascript and HTML through it. Update now!”
If you or you know anyone who still uses the old version of WordPress, it is high time for them to update their website to the latest version.