• Home
  • About Us
  • Authors
  • Submit News
  • Contact Us
  • Privacy Policy
  • Sitemap
The Hack Post
  • Hacking News
    • Cyber Crime
  • Cyber Security
  • Technology
    • Internet
  • Entertainment
    • Gaming
  • Business
  • Science / Health
No Result
View All Result
The Hack Post
No Result
View All Result

WordPress REST API 0day Exploit is Out: Patch your CMS Now!

Ahmed Khan by Ahmed Khan
February 4, 2017
WordPress REST API 0day Exploit is Out: Patch your CMS Now!
Share on FacebookShare on Twitter

WordPress fixed three safety defects almost a week ago. However, only just recently did the organization address the unknown 0day exploits that allowed unauthorized hackers to edit and alter the content of a page or any article within a WordPress website.

The victim and vulnerabilities at hand exist within the REST API built for WordPress. Two major bugs were found allowing hackers Remote privilege escalation and Content injection.

The major issue at hand here is not the fact that the plugin has bugs in them, every single one out there does, but it’s more to do with the fact that the high-profile Content Management System company is used in millions upon millions of websites and they have made the REST API a default ever since their release of WordPress 4.7.0

The vulnerabilities are simple to manipulate, they affect versions 4.7 and 4.7.1 of the WordPress content management system (CMS), permitting an unauthenticated attacker to change all and any content on unpatched websites and can redirect people to destructive and malicious scripts along with virus infected software’s.

The vulnerabilities in the REST API were found and were reported by Marc-Alexandre Montpas from Sucuri to WordPress’s cyber security department. The security staff at WordPress managed to fix the problems within the API, and then immediately delivered a patch for everyone who has the CMS installed on their websites.
However, no details or factual information were revealed about the vulnerabilities when the patch was deployed to keep hackers from taking advantage of the situation and exploiting websites with the 0day before web administrators around the world could path their WordPress websites.

This is what a core WordPress contributor, Aaron Campbell, had to say about the delay in the disclosure of the bugs:

We believe transparency is in the public’s best interest…[and]… in this case, we intentionally delayed disclosing the issue by one week to ensure the safety of millions of additional WordPress sites.

Data from all four WAFs and WordPress hosts showed no indication that the vulnerability had been exploited in the wild. As a result, we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public.

A video created by a user named Harsh Jaiswal demonstrating the Proof of Concept (PoC) of the exploit has been uploaded to YouTube.

The exploit itself has been posted to for any of you who would want to pen-test your WordPress website for the vulnerability and see how the exploit works.

It is advised that for those who have WordPress versions 4.7.0 or 4.7.1 that they download the patches and/or upgrade to the latest updated version of WordPress, version 4.7.2. To get a more in-depth and more detailed clarification concerning the vulnerabilities and exploit, you can go directly to the official post on Sucuri’s blog.

Tags: WordPress ExploitWordpress Security
Ahmed Khan

Ahmed Khan

A security analyst and technical writer at The Hack Post. I’m passionate about spreading knowledge and enhancing my own in the fields of cyber security. I am studying Computer Forensics & Security at the Leeds Beckett University. Creating content is a hobby of mine and hopefully will make it more than just that with the experience and time I’ve spent here at The Hack Post.

Next Post
NTFS-3G (Debian < 9) Vulnerable To Root Privilege Escalation- Local Root Exploit is Out

NTFS-3G (Debian < 9) Vulnerable To Root Privilege Escalation: Local Root Exploit is Out

Latest Articles

Image 1 of How Real-Time Technology Enhances the Online Gaming Experience
Gaming

How Real-Time Technology Enhances the Online Gaming Experience

July 1, 2026
Image 1 of Here are ten ways to improve your personal security in crypto, from the basics everyone should follow to the steps that matter most if you’re a public investor, founder, or executive.
Cyber Security

10 Ways to Improve Your Personal Security in Crypto

June 28, 2026
Image 1 of Best Video Face Swap AI Tools in 2026: 8 Platforms Compared for Realistic Face Swapping
Business

Best Video Face Swap AI Tools in 2026: 8 Platforms Compared for Realistic Face Swapping

June 28, 2026
Insurance risk assessment concept with documents, charts, and coverage policy on a desk
Business

Eric Poe: Understanding Insurance Risk Assessment and Its Role in Fair Coverage

June 26, 2026
Wooden garden fence with lush greenery, showcasing popular garden fencing design and materials
Business

Key Considerations When Building Garden Fencing

June 25, 2026
Image 1 of Growing Smarter & Faster with Outsourced Accounting and HR Services
Business

Growing Smarter & Faster with Outsourced Accounting and HR Services

June 23, 2026
Image 1 of Site: http://thehackpost.com
Business

How Does Sustainability Management Improve Business Performance and Profitability?

June 22, 2026
Modern air conditioner and ceiling fan in a bright living room for effective summer cooling solutions
Featured

Cooling Solutions for a Refreshing Summer

June 21, 2026
TradeQuo platform interface showcasing crypto trading features and broker award recognition
Business

TradeQuo: What a Fast-Growing Crypto Broker Award Tells Traders About the Platform

June 17, 2026
Conceptual graphic illustrating data breach monitoring and exposure intelligence solutions for businesses
Cyber Security

HIBP Alternatives for Businesses: Moving From Breach Lookup to Exposure Intelligence

June 16, 2026
Modern gaming setup with dual monitors, ergonomic chair, LED lighting, and surround sound
Gaming

Tips for Creating a Gaming Setup for Optimal Immersion and Comfort

June 6, 2026
Advocacy for disability rights with support and resources led by Laurence Grigorov
Business

Laurence Grigorov: Supporting Advocacy Efforts That Safeguard Disability Rights

June 4, 2026
  • Home
  • About Us
  • Authors
  • Submit News
  • Contact Us
  • Privacy Policy
  • Sitemap

The Hack Post © 2019

No Result
View All Result
  • Hacking News
    • Cyber Crime
  • Cyber Security
  • Technology
    • Internet
  • Entertainment
    • Gaming
  • Business
  • Science / Health

The Hack Post © 2019