Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


WordPress Just Fixed Serious Zero-Day Bug In Versions 4.7 and 4.7.1

WordPress recently patched three major security vulnerabilities in its latest update. The flaws could allow for cross-site scripting and SQL injections, and a range of other subsequent issues. The fixes affected WordPress versions 4.7.1 and earlier. Applying the update as soon as possible is still highly recommended.

However, it is now known that apart from the security issues just mentioned the platform fixed a dangerous and then-secret zero-day vulnerability that could lead to remote access and to the deletion of WordPress pages. The reason they didn’t publicly announce the zero-day is that they didn’t want to lure hackers into exploiting it. So they said.

Zero-day in WordPress 4.7 and 4.7.1 Explained: Unauthenticated Privilege Escalation Vulnerability in a REST API Endpoint

The bug allowed all pages on vulnerable websites to be modified. Also, visitors could have been redirected to malicious sites leading to more security-related complications. WordPress postponed the public announcement for a week and is now urging everyone involved to update.

Related: TeslaCrypt Currently Spread via Compromised WordPress Pages and Nuclear EK

In an additional post, WordPress wrote:

In addition to the three security vulnerabilities mentioned in the original release post, WordPress 4.7 and 4.7.1 had one additional vulnerability for which disclosure was delayed. There was an Unauthenticated Privilege Escalation Vulnerability in a REST API Endpoint. Previous versions of WordPress, even with the REST API Plugin, were never vulnerable to this.

The zero-day was reported on January 20th by security firm Sucuri, more particularly researcher Marc-Alexandre Montpas. Fortunately, no attackers have exploited the bug, and a fix was prepared shortly after it was reported. Nonetheless, WordPress took the time to test the issue further as it felt it was quite serious.

On the other hand, Sucuri added new rules to their Web Application Firewall so that exploit attempts were blocked. Other companies were contacted, too, to create similar rules to shield users from attacks before the update was finalized.

Sucuri wrote:

On Monday, while we continued to test and refine the fix, our focus shifted to WordPress hosts. We contacted them privately with information on the vulnerability and ways to protect users. Hosts worked closely with the security team to implement protections and regularly checked for exploit attempts against their users.

Related: Netgear Routers Vulnerable to Remote Access Attacks

Eventually, the update was ready last Thursday. It’s also important to note that WordPress 4.7.x users were quickly protected via the auto update system. However, users who don’t update WordPress automatically have to do it themselves before it’s too late.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Newsletter
Subscribe to receive regular updates about the state of PC Security and latest threads.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.