WordPress silently fixes serious security vulnerability
Last week, it has been reported that WordPress silently fixed critical zero-day vulnerability. To ensure the security of millions of websites and its users, WordPress delayed the vulnerability disclosure for over a week to give users time to install the patch and protect them from exploits. However, many WordPress websites have still not been updated.
The vulnerability is located in Wordpress REST API that can allow an unauthenticated attacker to delete pages or modify all pages on unpatched websites and also redirect their visitors to malicious exploits and a large number of attacks.
WordPress do includes a default feature that automatically updates unpatched websites but some admins running critical services disable this feature for first testing and then applying patches.
Security Researchers have noticed that the attacks leveraging this vulnerability less than 48 hours after disclosure. They noticed at least four different campaigns targeting still unpatched websites.
It has been revealed that in one of these campaigns, hackers have been able to replace the content of moe than 60,000 web pages with "Hacked by" messages. The other campaigns have targeted roughly 1000 pages in total.
It can be noted that such attacks appear to be carried out mostly for black hat SEO campaign in order to spread spam and boost their online reputation.
Site administrators are advised to update their websites to the latest WordPress release 4.7.2 and to patch them immediately.
The Hacker News
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street