name: WordPress REST API Vulnerability
officially announced: FEBRUARY 1, 2017
Security Risk: Severe
Exploitation Level: Easy/Remote
DREAD Score: 9/10
Vulnerability: Privilege Escalation + Content Injection
Patched Version: WordPress 4.7.2
what: This privilege escalation vulnerability affects the WordPress REST API that was recently added and enabled by default on WordPress 4.7.0.
how: One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site. The REST API is enabled by default on all sites using WordPress 4.7.0 or 4.7.1. If your website is on these versions of WordPress then it is currently vulnerable to this bug.
CHEAPER & FASTER: Compared to designers + developers + sysadmins hired for specific WordPress tasks.
UPDATE: FEBRUARY 10, 2017
Starting to see remote command execution (RCE) attempts exploiting the latest WordPress REST API Vulnerability. These RCE attempts started after a few days of defacers rushing to vandalize as many pages as they could.
VICTIMS: publicly visible & already hacked domains
defacer #1 – Google search result of 66,000+ domains – link
defacer #2 – Google search result of 300+ domains – link
defacer #3 – Google search result of 200+ domains – link
defacer #4 – Google search result of 100+ domains – link
UPDATE: FEBRUARY 22, 2017
We are starting to see a huge increase of remote command execution (RCE) attempts succesfully exploiting the latest WordPress REST API Vulnerability.
VICTIMS: publicly visible & already hacked domains
defacer #1 – Google search result of 365,000+ domains – link
defacer #2 – Google search result of 7,550+ domains – link
defacer #3 – Google search result of 1,720+ domains – link
defacer #4 – Google search result of 368+ domains – link
