WordPress is one of the most used content management system (CMS) in the world. So when there is a security flaw in its system, it affects millions of users on the Internet. That is exactly what has been discovered by security researchers at Sucuri, an Internet security company which revealed that WordPress websites are vulnerable to a critical and easily exploitable zero-day Content Injection vulnerability.

Sucuri found a Content Injection or Privilege Escalation vulnerability affecting the REST API allowing an attacker to modify the content of any post or page within a WordPress site. However, there is good news since Sucuri discretely reported the vulnerability to WordPress security team who handled the matter professionally and informed as many security providers and hosts and implemented a patch before this became public.
If you are using WordPress on your website the only way you may be at risk is if you have not updated your WordPress to the latest version 4.7.2. The update was issued on January 26th.

In their blog post, Marc Alexandre Montpas from Sucuri stated that “This privilege escalation vulnerability affects the WordPress REST API that was recently added and enabled by default on WordPress 4.7.0. One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site. The REST API is enabled by default on all sites using WordPress 4.7.0 or 4.7.1. If your website is on these versions of WordPress, then it is currently vulnerable to this bug.”

Montpas further stated that “This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site. We are hiding some technical details to make it harder for the bad guys, but depending on the plugins installed on a site, it can lead to a RCE (remote command execution). Also, even though the content is passed through wp_kses, there are ways to inject Javascript and HTML through it. Update now!”

If you or your friends are using WordPress, it is highly advisable to update your website and inform others about the issue so they can also update their WordPress to the latest version.

WordPress has also acknowledged the issue and published a blog post earlier today urging users to update their WordPress since it poses a “severe security risk” for users.

 

Share

March 17, 2015

We have been doing a Web Application Pentest forĀ a fairly large company this week. They are hosting with a well known Webhosting company, but maintain their own WordPress install with dozens of plugins.

Upon the initial assessment around the Web Application incl. WP-Scans, we immediately figured, that a lot of the dozens of plugins they use haven’t been maintained in terms of upgrades and patching.

We stumbled across an old installation of Contact Form 7, which is a very popular contact form script which allows users to use a contact form. Unfortunately, this old version didn’t sanitise any user input and by modifying an exploit which is available on the Exploit-DB (http://www.exploit-db.com/exploits/34922/), we were able to use the upload file function in the plugin to simply upload a remote controlled PHP script. System compromised.

We cannot stress enough that most plugins for WordPress out there have weak coding (well they are free after all and many are done by hobby programmers). But more worrying is the fact that customers seem not to regularly patch their WordPress installations and Plugins. Please keep them up to date.

Share