Security Risk: Severe

Exploitation Level: Easy/Remote

DREAD Score: 9/10

Vulnerability: Privilege Escalation / Content Injection

Patched Version: 4.7.2

At FlowPress, our developers are consistently performing technical audits against our clients sites as part of our monthly Web Operations offering. In late January, one of our Developers who co-manages some 4,000+ sites noticed endpoints appearing within URL structures. Now, FlowPress was not the first to notice this, nor did we originally extrapolate our thought to the global scale of the issue, but that client decided (rightfully upon being given the info) not to upgrade to 4.7.1. The reason being that this vulnerability allows an unauthenticated user to modify the content within a WordPress site.

The WordPress team worked incredibly quickly to release a patched version of WordPress for 4.7.2. Since then the issues are slowly but surely being cleared in the form of tasks from the Asanas’, Teamworks’, and Jiras’ all over the world as businesses and individuals reclaim control of their web properties.

In this post, we’re going to discuss whether or not you are at risk of having content injected into your site (whether you have upgraded or not).

This privilege escalation vulnerability affects the WordPress REST API that was recently added and enabled by default on WordPress 4.7.0.

One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site.

The REST API is enabled by default on all sites using WordPress 4.7.0 or 4.7.1. If your website is on these versions of WordPress then it is currently vulnerable to this bug.

In Conclusion

At this point you need to do a couple of things. First and foremost, update WordPress to version 4.7.2 if you have not already done so. Seriously, do it now! Okay…are you back? Good!

The second thing you can do is search for exposed usernames. You can use a tool like this, or you can search Google to find another tool that will crawl the front-end of your website and return to you a list of your URLs that contain exposed usernames.

If you are really worried about your website security, you can disable the REST API though this is not necessary so long as you’ve upgraded to at least WordPress version 4.7.2.

Following the above steps will ensure that your website is secure and that third party content can not be injected to your site!

Alex Allevato

Project Manager

Alex has been with FlowPress for over 2 years. In his time at FlowPress he has worked on support, products, marketing, and events. Currently, most of his time is dedicated to Project Management!