A critical privilege injection vulnerability has been reported in WordPress 4.70 and 4.71. The vulnerability allows an unauthenticated hacker to modify content of a page/post in WordPress site. The vulnerability was found in the REST API added by WordPress in one of its recent release. As soon as the vulnerability was discovered, WordPress security team worked on the patch and released it under the 4.7.2 update.
Websites Still Vulnerable
Thousands of websites still remain vulnerable. Since the patch & exploit methods are out in the open, hackers are exploiting the vulnerability and defacing the websites.
The problem is bigger for users who have wordpress update constrains due to custom development done on top. It is anticipated that this is only the start of mass defacement campaigns by hackers. Here are a few consequences of this vulnerability:
- Spam SEO: Since anyone can input arbitrary code in the post/page sections, a lot of spam seo links are being injected in the websites.
- Google Blacklisting: It is already been seen that google has been giving ‘This Site may be Hacked’ message under the website URL on search queries. Is not cleaned, such websites could be completely blacklisted by google.
- Targeted Attacks: Hackers can perform more targeted attacks to steal session data of administrators/website users.
Around 70,000 websites are estimated to be exploited by hackers till now. This number is only increasing passing every day as more and more hacker communities get to know about the magnitude of large chunk of websites still vulnerable.
Astra Security team is on top of this. We will keep on updating this as and when new findings happen. Astra Firewall users are safe from this vulnerability. You can start using Astra for your WordPress website now: https://www.getastra.com/wordpress-security