• Home
  • About Us
  • Authors
  • Submit News
  • Contact Us
  • Privacy Policy
  • Sitemap
The Hack Post
  • Hacking News
    • Cyber Crime
  • Cyber Security
  • Technology
    • Internet
  • Entertainment
    • Gaming
  • Business
  • Science / Health
No Result
View All Result
The Hack Post
No Result
View All Result

WordPress REST API 0day Exploit is Out: Patch your CMS Now!

Ahmed Khan by Ahmed Khan
February 4, 2017
WordPress REST API 0day Exploit is Out: Patch your CMS Now!
Share on FacebookShare on Twitter

WordPress fixed three safety defects almost a week ago. However, only just recently did the organization address the unknown 0day exploits that allowed unauthorized hackers to edit and alter the content of a page or any article within a WordPress website.

The victim and vulnerabilities at hand exist within the REST API built for WordPress. Two major bugs were found allowing hackers Remote privilege escalation and Content injection.

The major issue at hand here is not the fact that the plugin has bugs in them, every single one out there does, but it’s more to do with the fact that the high-profile Content Management System company is used in millions upon millions of websites and they have made the REST API a default ever since their release of WordPress 4.7.0

The vulnerabilities are simple to manipulate, they affect versions 4.7 and 4.7.1 of the WordPress content management system (CMS), permitting an unauthenticated attacker to change all and any content on unpatched websites and can redirect people to destructive and malicious scripts along with virus infected software’s.

The vulnerabilities in the REST API were found and were reported by Marc-Alexandre Montpas from Sucuri to WordPress’s cyber security department. The security staff at WordPress managed to fix the problems within the API, and then immediately delivered a patch for everyone who has the CMS installed on their websites.
However, no details or factual information were revealed about the vulnerabilities when the patch was deployed to keep hackers from taking advantage of the situation and exploiting websites with the 0day before web administrators around the world could path their WordPress websites.

This is what a core WordPress contributor, Aaron Campbell, had to say about the delay in the disclosure of the bugs:

We believe transparency is in the public’s best interest…[and]… in this case, we intentionally delayed disclosing the issue by one week to ensure the safety of millions of additional WordPress sites.

Data from all four WAFs and WordPress hosts showed no indication that the vulnerability had been exploited in the wild. As a result, we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public.

A video created by a user named Harsh Jaiswal demonstrating the Proof of Concept (PoC) of the exploit has been uploaded to YouTube.

The exploit itself has been posted to Pastebin for any of you who would want to pen-test your WordPress website for the vulnerability and see how the exploit works.

It is advised that for those who have WordPress versions 4.7.0 or 4.7.1 that they download the patches and/or upgrade to the latest updated version of WordPress, version 4.7.2. To get a more in-depth and more detailed clarification concerning the vulnerabilities and exploit, you can go directly to the official post on Sucuri’s blog.

Tags: WordPress ExploitWordpress Security
Ahmed Khan

Ahmed Khan

A security analyst and technical writer at The Hack Post. I’m passionate about spreading knowledge and enhancing my own in the fields of cyber security. I am studying Computer Forensics & Security at the Leeds Beckett University. Creating content is a hobby of mine and hopefully will make it more than just that with the experience and time I’ve spent here at The Hack Post.

Next Post
NTFS-3G (Debian < 9) Vulnerable To Root Privilege Escalation- Local Root Exploit is Out

NTFS-3G (Debian < 9) Vulnerable To Root Privilege Escalation: Local Root Exploit is Out

Latest Articles

The Premier Choice for Cesspool Service near Ronkonkoma, NY
Business

The Premier Choice for Cesspool Service near Ronkonkoma, NY

May 26, 2023
A-1 Sewer & Drain
Business

A-1 Sewer and Drain

May 26, 2023
What is Content at Scale and How Does it Help Boost Your Content?
news

What is Content at Scale and How Does it Help Boost Your Content?

May 26, 2023
The Evolution of Payment Systems in the Cryptocurrency Landscape
Business

The Evolution of Payment Systems in the Cryptocurrency Landscape

May 25, 2023
Reasons Small Business Loans get rejected
news

Reasons Small Business Loans get Rejected

May 16, 2023
A Complete Guide on Mobile App Wrapping
Technology

A Complete Guide on Mobile App Wrapping

May 16, 2023
Best Roofing Company in Indianapolis
news

Best Roofing Company in Indianapolis

May 16, 2023
Sealants for Industrial Processes Introducing CJM Centritec Non Contact Seals and CinchSeal Rotary Shaft Seals
news

Sealants for Industrial Processes: Introducing CJM Centritec Non Contact Seals and CinchSeal Rotary Shaft Seals

May 15, 2023
Building Custom Generative AI Models with TensorFlow
Technology

Building Custom Generative AI Models with TensorFlow

May 13, 2023
Secure Your Gaming Experience Top Tips for Safer Online Play
Entertainment

Secure Your Gaming Experience: Top Tips for Safer Online Play

May 11, 2023
windows in europe Everything You Need to Know
news

Windows in Europe: Everything You Need to Know

May 4, 2023
4 Advantages You Can Get Using WordPress Alternatives
Technology

4 Advantages You Can Get Using WordPress Alternatives

April 29, 2023
  • Home
  • About Us
  • Authors
  • Submit News
  • Contact Us
  • Privacy Policy
  • Sitemap

The Hack Post © 2019

No Result
View All Result
  • Hacking News
    • Cyber Crime
  • Cyber Security
  • Technology
    • Internet
  • Entertainment
    • Gaming
  • Business
  • Science / Health

The Hack Post © 2019