Zero-day content injection vulnerability found in WordPress REST API

Patch your CMS Now!


Just a very quick post to warn you of a new vulnerability discovered by Sucuri on WordPress.

The vulnerability could be exploited by an unauthenticated attacker to inject malicious content, to modify posts, pages and any other content, as well as for privilege escalation:

While working on WordPress, we discovered was a severe content injection (privilege escalation) vulnerability affecting the REST API. This vulnerability allows an unauthenticated user to modify the content of any post or page within a WordPress site.


Is my site affected?

This vulnerability affects the WordPress REST API that was recently added and enabled by default on WordPress 4.7.0 and 4.7.1.
If your website is on these versions of WordPress then it is currently vulnerable.

Sucuri has worked with the WordPress development team that has patched the vulnerability in the last release 4.7.2:

We disclosed the vulnerability to the WordPress Security Team who handled it extremely well. They worked closely with us to coordinate the disclosure timeline and get as many hosts and security providers aware and patched before this became public.

For technical details please refer to original article on Sucuri Blog:

https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html

If you have not enabled automatic updates on your website, update as soon as possible!

This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site. Update now!

Comments