The core development team of WordPress revealed that a critical zero-day vulnerability was quietly patched by a recent update to the content management system.
The vulnerability was discovered by a website security company, Sucuri and was informed to WordPress on January 20, following which the content management site’s team got as many hosts and security providers aware and patched before this became public.
The flaw could allow unauthenticated users to modify any post or page on a Wordpress site which was a bad news for news organisations like Time, Fortune, and USA Today. Tech companies like IBM, Microsoft, Facebook and many others were equally at risk because this lends itself to a garden variety of vandalism. The vulnerability could be used to introduce harmful links into otherwise benign content. These links could take users to sites that install malicious software on their computers or even be utilised as one element of a larger phishing scam, using the WordPress site as cover.
WordPress said that its technologies power 27% of the internet.
According to Campbell, after learning about the flaw, WordPress developers reached out to security companies that maintain popular web application firewalls (WAFs) so they could deploy protection rules against possible exploits. They then contacted large WordPress hosting companies and advised them on how to implement protections for their customers before an official patch was released. Data from these organisations showed no indication that attackers had been able to exploit the issue.
WordPress version 4.7.2 was released on January 26 as a security update, but the accompanying release notes mentioned only fixes for three moderate risk vulnerabilities, one of which did not even affect the platform's core code. A week later, on Wednesday (February 01), the WordPress security team disclosed that a fourth vulnerability, much more serious than the others, was also patched in version 4.7.2.
The vulnerability was kept quiet at the time, because a fix had to be developed, and making the issue public could potentially have allowed malicious entities to take advantage.
All WordPress users are encouraged to make sure that they have updated their installation to version 4.7.2, as otherwise their site could be hijacked.
The vulnerability affects only WordPress 4.7 and 4.7.1, where the REST API is enabled by default. Older versions are not affected, even if they have the REST API plug-in. It’s possible that criminal entities could use the vulnerability to target WordPress installations that aren’t up to date. Version 4.7.2 has been available since January 26, but users that don’t have automatic updates activated. They will need to initiate the process manually.
WordPress is the most popular website-building platform, which makes it a very attractive target for hackers. It only takes a moment to check that you’re up to date — but if hackers manage to exploit this vulnerability on your site, you’re in for a much bigger headache.