WPTavern: WordPress REST API Vulnerability is Being Actively Exploited, Hundreds of Thousands of Sites Defaced
Last Updated: 8th Feb 2017
At the end of January, WordPress 4.7.2 was released to fix four security issues, three of which were disclosed at the time of the release. These included a SQL injection vulnerability in WP_Query, a cross-site scripting (XSS) vulnerability in the posts list table, and the Press This feature allowing users without permission to assign taxonomy terms. The fourth and most critical issue, an unauthenticated privilege escalation vulnerability in a REST API endpoint, was fixed silently and disclosed a week after the release.
Contributors on the release opted to delay disclosure in order to mitigate the potential for mass exploitation, given that any site running 4.7 or 4.7.1 is at risk. This allowed time for users to update manually and for automatic updates to roll out.
âWe believe transparency is in the publicâs best interest,â WordPress Core Security Team Lead Aaron Campbell said. âIt is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites.â
WordPress worked with Sucuri, the company that discovered the issue, along with other WAF vendors and hosting companies to add protections before the vulnerability was publicly disclosed.
The vulnerability has been public for less than a week and is now being actively exploited. Thousands of WordPress sites have been defaced with messages like âHacked by NG689Skwâ or âHacked by w4l3XzY3â or similar. Googling for information about these particular hacks returns thousands of other hacked sites in the results.
Sucuri founder and CTO Daniel Cid said his team saw exploits in the wild less than 24 hours after the disclosure. The attacks are primarily simple defacements so far.
âThere are some good bad guys updating the post excerpt with the message: âUpdate WordPress or you will be hacked,â which is kind weird,â Cid said. âBut overall weâre seeing just simple defacement attempts, using modified versions of the exploit that we shared publicly.â
Multiple Campaigns Have Defaced Hundreds of Thousands of WordPress Sites
Sucuri is monitoring multiple defacement campaigns, each with varying degrees of success. The company published an update on the active attacks as well as the IP addresses they are originating from.
âWe are currently tracking four different hacking (defacement) groups doing mass scans and exploits attempts across the internet,â Cid said. âWe see the same IP addresses and defacers hitting almost every one of our honeypots and network.â
One defacement campaign Sucuri is tracking already has more than 68,000 pages indexed on Google. After perusing the WordPress.org forums, the problem seems to have a much larger reach than Sucuriâs network has initially detected. For example, âHacked by NG689Skwâ returns approximately 200K indexed results. âHacked By SA3D HaCk3Dâ returns more than 100K results. There are multiple permutations of this defacement in play on WordPress websites across the web. Not all results that share this same campaign structure are guaranteed to be associated with this vulnerability, but the few listed above were recent posts on the WordPress.org forum from users who failed to update to 4.7.2 in time.
âOn our end, we are seeing a big growth on exploit attempts, specially for defacement,â Cid said. âBut SPAM SEO is slowly growing too.â
Cid said the vulnerability allows attackers to inject content into a post or page by default, but defacement is the easy first step, along with SEO spam. If a site has a plugin like Insert PHP or PHP Code Widget installed, the vulnerability can lead to remote code execution. These two plugins have more than 300K combined active installs and there are others that perform similar functions.
âThe core of the issue is people not updating,â Cid said. âEven with auto and simple updates, people still do not update their sites.â
Needless to say, if you havenât updated to 4.7.2 and your site is running 4.7.0 or 4.7.1, you are at risk for content injection. For most sites that have been defaced, the simplest solution is to update to the latest version of WordPress and rollback the defaced post(s) to a revision.