The WordPress security team revealed that they’ve secretly fixed a zero-day vulnerability in the WordPress CMS REST API.The vulnerability in this case would allow for content injection as well as privilege escalation .
This vulnerability allows an unauthenticated user to “modify the content of any post or page within a WordPress site”
Sucuri, the company that discovered the issue worked closely with WordPress and help them to patch this vulnerability .
WordPress has been revealed and Released The revised WordPress 4.7.2 security log now also mentions “an unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint,” discovered by Sucuri researcher Marc-Alexandre Montpas.
Sucuri Explained in Blog We disclosed the vulnerability to the WordPress Security Team who handled it extremely well.They worked closely with us to coordinate the disclosure timeline and get as many hosts and security providers aware and patched before this became public
“A fix for this was silently included on version 4.7.2 along with other less severe issues. This was done intentionally to give everyone time to patch. We are now disclosing the details because we feel there has been enough time for most WordPress users to update their sites.”
WordPress team confirmed that the security team had indeed patched a secret flaw without telling its users.
Campbell also confirmed WordPress’ and Sucuri’s efforts to notify major WordPress hosting providers and web security firms of the zero-day.
Thankfully, no attempts to exploit the vulnerability have been detected, neither by Sucuri’s web firewall, or one from other providers.
Most of the hosts we worked with had protections in place. Data from all four WAFs and WordPress hosts showed “no indication that the vulnerability had been exploited in the wild.”
As a result, we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public.
Content injection attack refers to inserting malicious content into a legitimate site.
In addition to deceptive actions such as redirecting to other sites, malicious content can install crimeware on a user’s computer through a web browser vulnerability or by social engineering, such as asking a user to download and install anti-virus software that actually contains crimeware.
There are three primary classes of content injection attacks, each of which has many possible variations:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert on a…
The Biden administration confirmed that a Chinese state-sponsored hacking group breached the U.S. Treasury Department,…
Security researchers Daan Keuper, Thijs Alkemade, and Khaled Nassar from Computest Sector 7 disclosed a…
Researchers observed a recent surge in activity from the "FICORA" and "CAPSAICIN," both variants of…
The watering hole attack leverages a compromised website to deliver malware. When a user visits…
The NFS protocol offers authentication methods like AUTH_SYS, which relies on untrusted user IDs, and…
View Comments