WordPress content injection flaw abused in defacement campaigns

According to experts at the security firm Sucuri, a critical content injection flaw in WordPress recently disclosed has already been exploited to deface thousands of websites.

Recently a critical vulnerability has been discovered in the WordPress CMS, it is a zero-day content injection flaw that affects the WordPress REST API.

The vulnerability was discovered by a security researcher at firm Sucuri who explained that the flaw could be exploited by an unauthenticated attacker to inject malicious content as well as for privilege escalation.

The attacker could exploit the zero-day content injection flaw to modify posts, pages, as well any other content.

“This privilege escalation vulnerability affects the WordPress REST API that was recently put into widespread use across WordPress sites with the introduction of official API endpoints in version 4.7.” states a blog post published by Sucuri. “One of these endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site.

The REST API is enabled by default on all sites using WordPress 4.7 or 4.7.1. If your website is on these versions of WordPress then it is currently vulnerable to this bug.”

The impact of the flaw is severe, at least 18 million websites run the popular WordPress CMS, roughly 26% of the top 10,000 websites are running WordPress.

Experts from Sucuri have worked with the WordPress development team that fixed the zero-day content injection vulnerability in the last release 4.7.2 issued on January 26.

The bad news is that many WordPress websites still haven’t been updated leaving the installation open to the attacks.

Experts from Sucuri reported first attacks leveraging the above vulnerability less than 48 hours after its disclosure.

“In less than 48 hours after the vulnerability was disclosed, we saw multiple public exploits being shared and posted online. With that information easily available, the internet-wide probing and exploit attempts began.” states a report published by Sucuri.

The experts observed several massive defacement campaigns targeting WordPress across the world, in one of these campaigns, the hackers replaced the content of more than 60,000 web pages with “Hacked by” statements.

The other three operations, two of which seem to share a single IP address, have each targeted roughly 500 pages.

Sucuri monitored other three operations, two of which are linked to the same IP address as a source and have each targeted roughly 500 pages.

The risk when dealing with such kind of massive defacement is that crooks will leverage the vulnerability in WordPress to conduct Black SEO campaigns.

“What we expect to see is a lot more SEO spam (Search Engine Poisoning) attempts moving forward. There’s already a few exploit attempts that try to add spam images and content to a post. Due to the monetization possibilities, this will likely be the #1 route to abuse this vulnerability.” states Sucuri.

Search engine poisoning is a profitable activity for the cyber crime ecosystem.

Sucuri WAF network has observed a significant increase of the number of exploit attempts, in the last week, as reported in the following graph.

A recent report published by Sucuri states that more than half of the WordPress websites hijacked in 2016 were running an outdated version. By default, WordPress installations are updated automatically, so it is strongly suggested to website administrators to avoid disabling this feature.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – WordPress critical content injection flaw, hacking)