Target Remote Code Execution

February 1, 2017

name: WordPress REST API Vulnerability
officially announced: FEBRUARY 1, 2017
Risk: Severe
Exploitation Level: Easy/Remote
DREAD Score: 9/10
Vulnerability: Privilege Escalation + Content Injection
Patched Version: WordPress 4.7.2

what: This privilege escalation vulnerability affects the WordPress REST API that was recently added and enabled by default on WordPress 4.7.0.

how: One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site. The REST API is enabled by default on all sites using WordPress 4.7.0 or 4.7.1. If your website is on these versions of WordPress then it is currently vulnerable to this bug.

Find out today

Contact us and mention your URL to find out if you are affected

 

: FEBRUARY 10, 2017
Starting to see remote command execution (RCE) attempts exploiting the latest WordPress REST API Vulnerability. These RCE attempts started after a few days of defacers rushing to vandalize as many pages as they could.

VICTIMS: publicly visible & already hacked domains
defacer #1 - Google search result of 66,000+ domains - link
defacer #2 - Google search result of 300+ domains - link
defacer #3 - Google search result of 200+ domains - link
defacer #4 - Google search result of 100+ domains - link

: FEBRUARY 22, 2017
We are starting to see a huge increase of remote command execution (RCE) attempts succesfully exploiting the latest WordPress REST API Vulnerability.

VICTIMS: publicly visible & already hacked domains
defacer #1 - Google search result of 365,000+ domains - link
defacer #2 - Google search result of 7,550+ domains - link
defacer #3 - Google search result of 1,720+ domains - link
defacer #4 - Google search result of 368+ domains - link

WordPress Core vulnerability October

WordPress Core vulnerability October

Nov 03 2017

For your , be informed about the latest WordPress Core vulnerability, fixed in release WordPress 4.8.3 from October 31, 2017.…

WP Security: plugin vulnerabilities October

WP Security: plugin vulnerabilities October

Nov 01 2017

For your , be informed about the latest vulnerabilities in WordPress plugins: Content Timeline Multiple Blind SQL Injection reported by Jeroen…

WordPress protection: Core vulnerabilities September

WordPress protection: Core vulnerabilities September

Oct 02 2017

For your , be informed about the latest WordPress Core vulnerabilities fixed in release WordPress 4.8.2 from September 2017. WordPress…

WP Security: plugin vulnerabilities September

WP Security: plugin vulnerabilities September

Oct 01 2017

For your , be informed about the latest vulnerabilities in WP plugins: Participants Database Cross site scripting (XSS) reported by Benjamin…

WP Security: plugin vulnerabilities August

WP Security: plugin vulnerabilities August

Aug 31 2017

For your , be informed about the latest vulnerabilities in WP plugins: AddToAny Share Buttons Conditional Host Header Injection reported by…

Identified as New WP under 30 min

Identified as New WP under 30 min

Aug 03 2017

Your freshly installed, brand new WP is discovered faster than you imagine. Amazingly, even before you are informed. Find out how in…

No comments

Leave a Reply

Your email address will not be published.

Target Remote Code Execution

by Csaba Miklós time to read: 3 min
0