If you haven’t updated your WordPress site to 4.7.2, and your site is currently running 4.7 or 4.7.1, make sure that you go through and update your website now.
At the end of January, WordPress 4.7.2 was released to fix four security issues, three of which were disclosed at the time of the release. … (The) most critical issue, an unauthenticated privilege escalation vulnerability in a REST API endpoint, was fixed silently and disclosed a week after the release.
According to the Founder and CTO of Sucuri, Daniel Cid, REST exploits were active in the wild within 24 hours of their reporting its existence.
The attacks affecting thousands of sites are mainly site defacements with the words "Hacked by w413XzY3", "Hacked by NG689Skw", or some combination along these lines. The Kurdish hacker known as MuhmadEmad used the exploit to feature the Kurdish flag and the statement “long live Peshmerga”, a reference to the Kurdish army of Peshmerga, an anti-Islamic State.
While this is currently a simple defacement exploit, it is also starting to create Search Results to show up with the "Hacked by …" moniker, typically in a title.
This particular hack is based on a simple test that came directly from the example from Sucuri. This simply shows that it does work, and now provides mechanisms for other exploits to enter the site. To clean this exploit, simply go back to a prior revision. WordPress 4.7.2 also fixed 3 other security issues:
- Cross-site scripting (XSS) vulnerability discovered in the posts list table. Reported by Ian Dunn of the WordPress Security Team (8731)
- WP_Query is vulnerable to SQL Injection when passing unsafe data. WordPress Core is not directly vulnerable, but Core has been hardened to prevent plugins from accidently causing the vulnerability. Reported by Mo Jangda. (8730)
- UI for assigning taxonomy terms in "Press This" exposed to users without permission. Reported by David Herrera of Alley Interactive. (8729)
WordPress 4.7.1 also fixed 8 major security issues including a PHPMailer exploit (from WordPress.org):
- Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release. This issue was fixed in PHPMailer thanks to Dawid Golunski and Paul Buonopane.
- The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API. Reported by Krogsgard and Chris Jean.
- Cross-site scripting (XSS) via the plugin name or version header on
update-core.php. Reported by Dominik Schilling of the WordPress Security Team.
- Cross-site request forgery (CSRF) bypass via uploading a Flash file. Reported by Abdullah Hussam.
- Cross-site scripting (XSS) via theme name fallback. Reported by Mehmet Ince.
- Post via email checks
mail.example.comif default settings aren’t changed. Reported by John Blackbourn of the WordPress Security Team.
- A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing. Reported by Ronnie Skansing.
- Weak cryptographic security for multisite activation key. Reported by Jack.
If your WordPress website has been hacked, or you need to update your website, we are ready to help and get you taken care of quickly and professionally.
Subscribe to Darren by Design
Get the latest posts delivered right to your inbox