WordPress Team Secretly Fixed A Zero-Day Critical Content Injection Vulnerability

The WordPress security team revealed that they’ve secretly fixed a zero-day vulnerability in the WordPress CMS REST API.The vulnerability in this case would allow for content injection as well as privilege escalation .

This vulnerability allows an unauthenticated user to “modify the content of any post or page within a WordPress site”

Sucuri, the company that discovered the issue worked closely with WordPress and help them to patch this vulnerability .

WordPress has been revealed and Released The revised WordPress 4.7.2 security log now also mentions “an unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint,” discovered by Sucuri researcher Marc-Alexandre Montpas.

Sucuri Explained in Blog  We disclosed the vulnerability to the WordPress Security Team who handled it extremely well.They worked closely with us to coordinate the disclosure timeline and get as many hosts and security providers aware and patched before this became public

“A fix for this was silently included on version 4.7.2 along with other less severe issues. This was done intentionally to give everyone time to patch. We are now disclosing the details because we feel there has been enough time for most WordPress users to update their sites.”

No zero-day exploitation attempts detected

WordPress team confirmed that the security team had indeed patched a secret flaw without telling its users.

Campbell also confirmed WordPress’ and Sucuri’s efforts to notify major WordPress hosting providers and web security firms of the zero-day.

Thankfully, no attempts to exploit the vulnerability have been detected, neither by Sucuri’s web firewall, or one from other providers.

Most of the hosts we worked with had protections in place. Data from all four WAFs and WordPress hosts showed “no indication that the vulnerability had been exploited in the wild.”

As a result, we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public.

Are you at risk  ? From the Sucuri,

1. This privilege escalation vulnerability affects the WordPress REST API that was recently added and enabled by default on WordPress 4.7.0.
2. One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site.
3. The REST API is enabled by default on all sites using WordPress 4.7.0 or 4.7.1. If your website is on these versions of WordPress then it is currently vulnerable to this bug.

Content injection attack

Content injection attack refers to inserting malicious content into a legitimate site.

In addition to deceptive actions such as redirecting to other sites, malicious content can install crimeware on a user’s computer through a web browser vulnerability or by social engineering, such as asking a user to download and install anti-virus software that actually contains crimeware.

There are three primary classes of content injection attacks, each of which has many possible variations:

• Hackers can compromise a server through a security vulnerability and replace or augment the legitimate content with malicious content.
• Crimeware can be inserted into a site through a cross-site scripting vulnerability.
• Malicious actions can be performed on a site through an SQL injection vulnerability.

Also Read :

• Security researcher disclosed a critical MySQL zero-day with versions including 5.5, 5.6
• WordPress Publishes Critical Security Update XSS, SQL Injection vulnerabilities
• Google Forms WordPress Plugin unauthenticated PHP Object injection vulnerability