Attackers Exploit WordPress Bug, Deface Thousands of Websites
WordPress users who haven’t already upgraded to the latest security release of the popular content management system should do so immediately. A recently discovered vulnerability exploits a WordPress bug that allows an unauthenticated user to modify the content of any page or post on a WordPress site — an attack that has reportedly defaced more than 67,000 websites already.
As reported by Bleeping Computer, website security provider Sucuri uncovered the severe privilege escalation vulnerability — also known as content injection — which affects the WordPress REST API. By exploiting this weakness, an attacker can access and alter content on a WordPress site.
The Fix Is In
This WordPress bug attack illustrates the importance of installing software security updates as quickly as possible. Case in point: WordPress 4.7.2, a security release for all previous versions, became available on January 26, 2017. The company strongly encouraged WordPress users to update their sites immediately. The patch fixed several vulnerabilities, the most severe of which was the privilege escalation issue.
Sucuri’s Marc-Alexandre Montpas, who discovered the WordPress exploit, explains that since the affected REST API is enabled by default on all sites using WordPress 4.7.0 or 4.7.1, it’s critical for users to upgrade immediately.
“If your website is on these versions of WordPress, then it is currently vulnerable to this bug,” he writes.
Less than 48 hours after the vulnerability was reported, multiple public exploits were shared and posted online, which quickly led to probing and exploit attempts across the Internet, writes Sucuri’s Daniel Cid in a February 6th post.
The bad news: A significant number of WordPress users haven’t installed version 4.7.2, allowing attackers to deface tens of thousands of sites at the rate of nearly 3,000 per day.
“WordPress has an auto-update feature enabled by default, along with an easy one-click manual update process,” Cid writes. “Despite this, not everyone is aware of this issue or able to update their site.”
The Defacers Strike
Sucuri is tracking four hacking groups that are largely responsible for the mass defacement campaigns, which should lessen over the next several days, the security vendor forecasts. Moving forward, Sucuri expects the WordPress vulnerability to lead to much more SEO spam or search engine poisoning, which the defacers can monetize.
Website defacement remains popular among cyberattacks. As Broadsuite founder and president Daniel Newman points out, a defacer might do something as silly as post an obscene banner on a site’s homepage or engage in far more sinister activity such as stealing valuable, high-profile data. For organizations, the lesson is clear: Don’t be cavalier about security.