WordPress REST API Vulnerability Continues to be Exploited

WordPress REST API vulnerability

Almost two weeks have passed since WordPress disclosed an unauthenticated privilege escalation vulnerability in a REST API endpoint in WordPress 4.7 and 4.7.1. At the end of January, WordPress 4.7.2 was released to fix the WordPress REST API vulnerability, a major one among four security issues.

After the disclosure, the attacks seem to continue as WordPress security firms see more attempts blocked by their firewalls. The website security firm that reported the vulnerability to WordPress – Sucuri – was tracking the “Hacked by w4l3XzY3” campaign last week. It estimated 66,000 defacements. The same campaign has now passed 260,000 pages indexed by Google. It is one of nearly two dozen defacement campaigns targeting the vulnerability.

Wordfence CEO Mark Maunder said, “During the past 24 hours we have seen an average growth in defaced pages per campaign of 44%. The total number of defaced pages for all these campaigns, as indexed by Google has grown from 1,496,020 to 1,893,690. That is a 26% increase in total defaced pages in just 24 hours.”

Maunder also referenced a Google Trends chart that demonstrates the success of defacement campaigns over the past week. The spike began on the day WordPress disclosed the vulnerability.

The development team patched the WordPress REST API vulnerability silently and delayed the disclosure for a week to give WordPress site owners a head start on updating to 4.7.2.

If you haven’t updated your websites to WordPress 4.7.2,

DO IT NOW!

Sucuri founder and CTO Daniel Cid said, “The core of the issue is people not updating. Even with auto and simple updates, people still do not update their sites.”

If you are among those who haven’t yet updated their websites, it is high time you end your risk of content injection.

If your site has been defaced, the easiest solution is to update to the latest version of WordPress and rollback the defaced posts to a revision.

Leave a Reply

Your email address will not be published.