WordPress Fixes Security Flaw that Opened Users to Content Injection Attacks
WordPress waited to disclose a REST API Endpoint bug that made sites using WordPress 4.7 and 4.7.1 vulnerable to content injection attacks in order to protect the sites while a security fix was rolled out in WordPress 4.7.2, according to a blog post published Wednesday by WordPress Core Contributor Aaron Campbell.
Sucuri security researcher Marc-Alexandre Montpas alerted the WordPress Security Team of the vulnerability on Jan. 20, who worked with Sucuri to coordinate the disclosure with patching efforts.
“Due to this type-juggling issue, it is then possible for an attacker to change the content of any post or page on a victim’s site,” Montpas wrote in a blog post to the Sucuri site. “From there, they can add plugin-specific shortcodes to exploit vulnerabilities (that would otherwise be restricted to contributor roles), infect the site content with an SEO spam campaign, or inject ads, etc.”
Montpas also pointed out that depending on site plugins, attackers could also execute PHP code through the vulnerability. The researcher praised the WordPress team for handling the situation “extremely well.”
In the interim between the original disclosure by Sucuri to WordPress and the public disclosure, WordPress hosting providers and firewall providers including Sucuri, SiteLock, CloudFlare, and Incapsula were informed. Akamai was also informed, and monitored internet traffic for possible attempts to exploit the vulnerability, noting Wednesday that it had found none.
“We believe transparency is in the public’s best interest,” Campbell wrote. “It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites.”