Recent WordPress flaw exploited to deface more than 1.5 million web sites

According to security firm WordFence, the content injection flaw in WordPress recently disclosed has already been exploited to deface over 1.5M websites.

A recently patched security vulnerability in the popular WordPress CMS has been exploited to deface roughly 1.5 million web pages.

The vulnerability was discovered by a security researcher at firm Sucuri who explained that the flaw could be exploited by an unauthenticated attacker to inject malicious content as well as for privilege escalation.

The attacker could exploit the zero-day content injection flaw to modify posts, pages, as well any other content.

“This privilege escalation vulnerability affects the WordPress REST API that was recently put into widespread use across WordPress sites with the introduction of official API endpoints in version 4.7.” states a blog post published by Sucuri. “One of these endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site.

The REST API is enabled by default on all sites using WordPress 4.7 or 4.7.1. If your website is on these versions of WordPress then it is currently vulnerable to this bug.”

At least 18 million websites run the popular WordPress CMS, roughly 26% of the top 10,000 websites are running WordPress.

Experts from Sucuri have worked with the WordPress development team that fixed the zero-day content injection vulnerability in the last release 4.7.2 issued on January 26.

The bad news is that many WordPress websites still haven’t been updated leaving the installation open to the attacks.

Experts from Sucuri reported first attacks leveraging the above vulnerability less than 48 hours after its disclosure.

“In less than 48 hours after the vulnerability was disclosed, we saw multiple public exploits being shared and posted online. With that information easily available, the internet-wide probing and exploit attempts began.” states a report published by Sucuri.

The experts observed several massive defacement campaigns targeting WordPress across the world, in one of these campaigns, the hackers replaced the content of more than 60,000 web pages with “Hacked by” statements.

The situation is going to rapidly deteriorate, according to the security firm WordFence the number of defaced Web sites jumped to 1.5 million in a total of 20 different defacement campaigns.

The experts have also started observing attempts to exploit the vulnerability flaw for remote code execution.

Despite defacement attacks are not profitable for hackers, but as highlighted by firm Sucuri, crooks could leverage the vulnerability in WordPress to conduct Black SEO campaigns.

“What we expect to see is a lot more SEO spam (Search Engine Poisoning) attempts moving forward. There’s already a few exploit attempts that try to add spam images and content to a post. Due to the monetization possibilities, this will likely be the #1 route to abuse this vulnerability.” states Sucuri.

Search engine poisoning is a profitable activity for the cybercrime ecosystem.

Let’s close with a curiosity, researchers observed in some cases hackers are competing to deface sites, the only way to stop them is to update your WordPress installation.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – critical content injection flaw, hacking)