By Gary Nugent

WP REST API Bug

Security Risk: Severe

Exploitation Level: Easy/Remote

DREAD Score: 9/10

Vulnerability: Privilege Escalation / Content Injection

Patched Version: 4.7.2

There is a Content Injection Vulnerability in WordPress versions 4.7 and 4.7.1.

While working on WordPress, the Sucuri security team discovered a severe content injection vulnerability affecting the REST API in these two versions of WordPress. This vulnerability allows an unauthenticated user to modify the content of any post or page within a WordPress site.

A fix for this was silently included in version 4.7.2 along with fixes for other less severe issues.

This issue is known as a privilege escalation vulnerability and affects the WordPress REST API that was recently added and enabled by default on WordPress 4.7.0.

One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site.

The REST API is enabled by default on all sites using WordPress 4.7.0 or 4.7.1. If your website is on these versions of WordPress then it is currently vulnerable to this bug.

If you have not enabled automatic updates on your website, update to V4.7.2 as soon as possible!

This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site. Update now!

The full investigation on how this serious bug was identified is in this Sucuri Blog Post.

Tagged with:

Filed under: WordPress Security