Thousands of WordPress domains have been subject to attack through a severe content injection security flaw that many website operators have failed to protect themselves against.

The security flaw, a zero-day vulnerability that affects the REST API, allows attackers to modify the content of posts or pages within a website backed by the WordPress content management system (CMS).

As noted by cybersecurity firm Sucuri, one of the REST endpoints allows access via the API to view, edit, delete, and create posts.

“Within this particular endpoint, a subtle bug allows visitors to edit any post on the site,” the company says. “From there, they [attackers] can add plugin-specific shortcodes to exploit vulnerabilities (that would otherwise be restricted to contributor roles), infect the site content with an SEO spam campaign, or inject ads.”

Depending on the plugins already installed, it could also be possible for attackers to execute PHP code.

The WordPress security team silently included a fix for the zero-day vulnerability in the latest 4.7.2 release, issued on Jan. 26. The patch also fixed a number of other issues, including an SQL injection flaw and a cross-site scripting (XSS) vulnerability.

However, it seems that a number of webmasters have not kept up-to-date with their patch schedules. According to Sucuri, two weeks after the update was released to the public, evidence has emerged of attackers taking advantage of vulnerable websites in defacement campaigns.

Multiple public exploits have been shared online and over 66,000 WordPress websites have been compromised by four different groups. The researchers say they have spotted the same IP addresses and defacers “hitting almost every one of our honeypots and network.”

In one campaign, Google alone shows that thousands of websites have been compromised.

Read More

Article Source:

Leave a Reply