Zero-day Content Injection Vulnerability found in WordPress

Pierluigi Paganini February 02, 2017

A new dangerous Zero-day Content Injection vulnerability has been discovered in the WordPress CMS, it affects the WordPress REST API.

A new dangerous vulnerability has been discovered in the WordPress CMS, it is a zero-day content injection flaw in the WordPress REST API.

The vulnerability discovered by a security researcher at firm Sucuri could be exploited by an unauthenticated attacker to inject malicious content as well as for privilege escalation.

The attacker could exploit the zero-day content injection vulnerability to modify posts, pages, as well any other content.

“This privilege escalation vulnerability affects the WordPress REST API that was recently put into widespread use across WordPress sites with the introduction of official API endpoints in version 4.7.” states a blog post published by Sucuri. “One of these endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site.

The REST API is enabled by default on all sites using WordPress 4.7 or 4.7.1. If your website is on these versions of WordPress then it is currently vulnerable to this bug.”

The impact of the flaw is severe, at least 18 million websites run the popular WordPress CMS, roughly 26% of the top 10,000 websites are running WordPress.

Experts from Sucuri have worked with the WordPress development team that fixed the zero-day content injection vulnerability in the last release 4.7.2.

Experts at Sucuri did not provide technical details about the flaw to prevent that crooks can exploit the vulnerability in attacks in the wild.

“This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site. We are hiding some technical details to make it harder for the bad guys, but depending on the plugins installed on a site, it can lead to a RCE (remote command execution). Also, even though the content is passed through wp_kses, there are ways to inject Javascript and HTML through it. Update now!” continues the post.

Administrators that have not enabled automatic updates on their website need to update it as soon as possible.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Zero-day Content Injection, hacking)



you might also like

leave a comment