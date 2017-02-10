Recent WordPress vulnerability used to deface 1.5 million pages

Attackers are exploiting the recently patched REST API vulnerability that allows code to be injected into WordPress websites

|

Romania Correspondent, IDG News Service |

The WordPress REST API vulnerability attracted a large wave of attacks.
Credit: Alexander Gounder/Pixabay
Related

Up to 20 attackers or groups of attackers are defacing WordPress websites that haven't yet applied a recent patch for a critical vulnerability.

The vulnerability, located in the platform's REST API, allows unauthenticated attackers to modify the content of any post or page within a WordPress site. The flaw was fixed in WordPress 4.7.2, released on Jan. 26, but the WordPress team did not publicly disclose the vulnerability's existence until a week later, to allow enough time for a large number of users to deploy the update.

However, even after the flaw became public, many webmasters did not apply the patch and a wave of attacks soon followed. On Monday, web security firm Sucuri reported that around 67,000 pages had been defaced in four separate attack campaigns.

Since then the number of defaced pages has grown to over 1.5 million and there are 20 different attack signatures, according to statistics from Feedjit, the company behind the Wordfence security plug-in for WordPress. The number of unique affected websites is estimated at around 40,000, as a site can have multiple defaced pages.

"This vulnerability has resulted in a kind of feeding frenzy where attackers are competing with each other to deface vulnerable WordPress websites," Mark Maunder, the CEO of Feedjit, said in a blog post Thursday. "During the past 48 hours we have seen over 800,000 attacks exploiting this specific vulnerability across the WordPress sites we monitor."

One interesting aspect is that attackers have managed to find a way to defeat the initial blocking rules put in place by web application firewall vendors and web hosting companies to protect their customers from attempts to exploit this flaw.

These companies can't force webmasters to update their WordPress installations, but they can put filters in place on their web servers to block such attacks from reaching their customers' websites. In fact, before releasing the official patch, the WordPress security team reached out to select web security and hosting firms to help them deploy protection rules for this flaw.

Google has also sent out security alerts regarding this vulnerability to webmasters who registered their WordPress websites in the Google Search Console service. The alerts advised them to install the WordPress 4.7.2 update but generated some confusion among users who had already applied the patch.

The truth is that despite these efforts, some WordPress installations won't be updated and will remain vulnerable to this flaw for a long time to come. This is based on past experience with other serious flaws that affected WordPress and similar content management solutions. 

The bad news is that it's probably only a matter of time until attackers stop defacing pages and start injecting malicious code into them, affecting their visitors.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Lucian Constantin is an IDG News Service correspondent. He writes about information security, privacy, and data protection.

Must read: 10 new UI features coming to Windows 10
You Might Like
Don't Miss
salary rising primary
13 tech jobs that pay $200k salaries

Which IT roles earn the biggest salaries? Thirteen tech jobs can pull in salaries of $200,000 or more,...

rtx2vhj7
NASA has a shadow IT problem

It not often enterprises get direct evidence of a shadow IT operation but a recent audit of NASA’s IT...

best buy geek squad car
Why you shouldn't trust Geek Squad ever again

The U.S. government reportedly pays Geek Squad technicians to dig through your PC for files to give to...

Resources
Top Stories
00 predictions title
Attorneys predict a demanding year for IT outsourcing customers

Global politics, data demands and rapidly advancing technology needs will make 2017 a time of critical...

11 clouds
Cloud monitoring: Users review 5 top tools

These are boom times for cloud computing, but corporate IT departments still need to monitor those...

net neutrality now
The end of net neutrality is near

The new FCC chairman, Ajit Pai, is committed to killing net neutrality. What will that mean in practice...

techie valentines day 7
25 techie Valentine's Day gifts

Valentine's Day gifts offer a techie alternative to the usual flowers, jewelry and candy.