WordPress one of the most commonly used CMS (Content Management System) has exposed that the security update held last week secretly fixed a major vulnerability in its system. The vulnerability kept under wraps by WordPress for a week to give it users’ time to patch prior to cluing in hackers to this particular vulnerability through a public advisory.
A WordPress core maintainer, Aaron Compbell explained, “It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites.”
The newly found bug is in the WP REST API Endpoint in the version of 4.7. Any website which is based on WordPress and updated to the WordPress 4.7 in January 2017 and hasn’t applied the patch released last week is vulnerable to a content injection bug that could enable an unauthenticated hacker to modify a page or post. Depending on the website’s plugins, the bug could also be utilized to virtually execute code.
How it all begun
The bug was reported on 20th January 2017 by a cyber-security firm Sucuri after Marc-Alexandre Montpas, one of Sucuri’s researcher, discovered the troubling vulnerability. Luckily, no outside attempts were found by Sucuri before reporting the loophole to WordPress. A patch was created very quickly, however, the WordPress experts felt there was a need for extra testing.
New rules added by Sucuri to their Web Application Firewall just to restrict exploit attempts against their customers. Other companies were contacted by the firm to create same rules to shield clients before the new update.
The company clarified the extent it went to shield users:
On Monday, while we continued to test and refine the fix, our focus shifted to WordPress hosts. We contacted them privately with information on the vulnerability and ways to protect users. Hosts worked closely with the security team to implement protections and regularly checked for exploit attempts against their users.
On Wednesday many of the hosts reached by WordPress had blocked the bug, and on Thursday the patch was rolled out. Millions of WordPress users were safe within few hours, appreciations to the automatic update system of WordPress. There are many who closed the auto updates and have yet to update their WordPress system should do so ASAP.
Are you at risk?
Well, if your website is based on WordPress and not updated to its latest version 4.7.2 then you are at risk. You should go for the latest update which was released on 25th of January 2017. In case you or any of your friend is using WP, it is extremely advisable to update your core and notify others about this vulnerability so they can also update their system to stay protected.
On the other hand, WordPress team has also appreciated the issue and released a blog post today discussing users to update their core since it postures a “severe security threat” for clients. If you wanna learn how to shield your website from attackers read our exclusive post on how to protect your website from hackers.