The Art of Rejection of Content Injection
Are you running a recent version of Wordpress? If you are using either version 4.7.0 or 4.7.1 you are at risk of being attacked via an exploit in the Wordpress REST API. If you have noticed some strange behaviour on your Wordpress site and you are unsure of how it came to happen, read on for advice on what this is and how to remedy the situation.
As a Wordpress exploit scanner, it is imperative we keep abreast of security issues and exploits that may crop up whether in Wordpress versions or in Plugins in order to plug these holes and alert the user to issues they may encounter.
Recently an exploit came to light in two versions of Wordpress 4.7.0 and 4.7.1, this exploit of the classification of severe content injection which created a vulnerability which allows an unauthenticated user to modify contents, or pages in a Wordpress site even if they do not have the permissions. In laymans terms, this is a user privilege escalation, whereby a visitor could edit any post on a Wordpress site, provided they knew about the subtle bug introduced in those versions of Wordpress. Basically any Tom, Dick and Harry could alter and change a Wordpress site without even needing Administrator rights. Bit of a pisstake eh, but it is the kind of thing we at Fixhacked are quickly alerted to and resolving as quickly as possible.
A fix for this exploit was silently resolved with the release of Wordpress 4.7.2 which removed this security issues, and a few lesser known ones. Now you have had the time to respond and update your versions of Wordpress, it is only right that we share with you the issues that cropped up and how you may have been digitally shafted (read: exploited), if your Wordpress site had been attacked.
So, Are You In Danger?
This permissions/privilege escalation affected the Wordpress REST API that was recently added to Wordpress in version 4.7.0, this API is enabled by default, which is worrying if you’re on either of the affected versions.
The endpoints in the REST API allow access to any user, even a Visitor to view, edit, delete and create posts, even if their permissions/privileges do not allow this. The bug in this endpoint allows anyone to edit posts on the Wordpress website through simple code injection in the endpoint.
This vulnerability allows hackers to utilise an RCE (remote command execution) to inject malicious java or html code through wp_kpses.
So, What Do You Do?
If you are running a version of Wordpress previous to 4.7.0/4.7.1 even with the REST API plugin installed, you are not affected. If you are running the two versions of Wordpress with this now known issue, you should update your Wordpress now!
Fixhacked is aware of this bug within the REST API and the two compromised versions of Wordpress, notifying users of issues.
If you have been hacked as result of this vulnerability, I would recommend that you also take the following steps:
- Download our simple easy to use (really!) exploit scanner from www.fixhacked.com
- Upload this scanner to your Wordpress, it works just like utilising any of your other plugins. Upload and activate. That is all!
- Let us do all the work, by scanning all of your Wordpress files.
- We tell you which files are corrupted and could be further exploited by hackers. Providing you with a solution to any exploitative issues you may have. Helping you to clean these up quickly and efficiently, and advising of any more changes wherever necessary.
Should you find that any of your files have been corrupted or exploited as result of this vulnerability and are unsure of what to do next. Contact Us and Hire an Expert to help resolve the issues you may have, you can then get back to doing what you do best and providing more content for your Wordpress site or business.
Until next time.