Thousands of Sites at Risk from Newly Identified Zero Day WordPress Vulnerability

A Sucuri researcher has recently discovered a new zero day WordPress vulnerability in the WordPress REST API. The vulnerability permits content injection and the escalation of user privileges. Should it be exploited, an unauthenticated user might be able to make modifications to any content found on the WordPress sites, which could include the addition of malicious links or exploit kits, therefore turning totally harmless sites into websites which serve to spread malicious malware and ransomware.

Sucuri informed WordPress of the flaw and the matter has been addressed in the most recent version of the CMS platform. WordPress has begun automatically updating its websites and downloading the latest version. That said, many sites that are still running older, more vulnerable versions of WordPress remain active. Every business that has used WordPress for its CMS is strongly encouraged to update to version 4.7.2 of the platform as soon as possible.

Ordinarily WordPress rapidly issues updates as soon as a new zero day WordPress vulnerability has been discovered, and this reputation was once more proved to be justified in the recent example. The newest version of the platform was made available on the 26th of January 2017. The vulnerability concerned the REST API which had been introduced in WordPress version 4.7. All users running version 4.7 or 4.7.1 are therefore at risk of their site being affected.

Sucuri states that the vulnerability is significant and may be exploited in numerous different ways. Comprehensive details of the zero day WordPress vulnerability have not been released as doing so would only assist wrongdoers to exploit the flaw. Sucuri believe that, depending on the plugins installed, the vulnerability may lead to a remote code execution.

Sucuri adds that although the content passes through wp_kses, there remain methods of injecting JavaScript and HTML through it.

BuiltWith, the analytics website, has stated that there are some 93,981 websites around the globe which run WordPress version 4.7 or later, some of which are very popular. Over a quarter of the top 10,000 websites are currently WordPress-based.