A new zero day WordPress vulnerability has been discovered in the WordPress REST API that allows content injection and user privileges to be escalated. If exploited, an unauthenticated user would be able to modify any content on the WordPress sites, including adding malicious links or exploit kits, turning harmless sites into malicious malware and ransomware-downloading websites.
The new zero day WordPress vulnerability was recently discovered by a security researcher at Sucuri. The flaw was passed on to WordPress and the issue has now been addressed in the latest release of the CMS platform. WordPress has started automatically updating websites and downloading the new version. However, there are still many sites that are running older, vulnerable versions of WordPress. All businesses that have used WordPress for their CMS are strongly advised to update to version 4.7.2 of the platform at the earliest possible opportunity.
WordPress is usually quick to issue updates when a new zero day WordPress vulnerability is discovered, and this time was no exception. The new version of the platform was updated on January 26, 2017. The problem affected the REST API which was introduced in WordPress version 4.7. Any user running version 4.7 or 4.7.1 is therefore potentially at risk of their site being compromised.
Sucuri says the vulnerability is serious and could be exploited and used in many different ways. Full details of this zero day WordPress vulnerability have not been released to make it harder for the flaw to be exploited. According to Sucuri, the vulnerability could lead to a remote code execution, depending on the plugins that have been installed.
Sucuri notes that “even though the content is passed through wp_kses, there are ways to inject JavaScript and HTML through it. Update now!”
According to the analytics website BuiltWith, there are 93,981 websites worldwide that are running WordPress version 4.7 or later. Many of those sites are extremely popular. 26% of the top 10,000 websites are reportedly WordPress-based.