WordPress recently patched three major security vulnerabilities in its latest update. The flaws could allow for cross-site scripting and SQL injections, and a range of other subsequent issues. The fixes affected WordPress versions 4.7.1 and earlier. Applying the update as soon as possible is still highly recommended.
However, it is now known that apart from the security issues just mentioned the platform fixed a dangerous and then-secret zero-day vulnerability that could lead to remote access and to the deletion of WordPress pages. The reason they didn’t publicly announce the zero-day is that they didn’t want to lure hackers into exploiting it. So they said.
Zero-day in WordPress 4.7 and 4.7.1 Explained: Unauthenticated Privilege Escalation Vulnerability in a REST API Endpoint
The bug allowed all pages on vulnerable websites to be modified. Also, visitors could have been redirected to malicious sites leading to more security-related complications. WordPress postponed the public announcement for a week and is now urging everyone involved to update.
In an additional post, WordPress wrote:
In addition to the three security vulnerabilities mentioned in the original release post, WordPress 4.7 and 4.7.1 had one additional vulnerability for which disclosure was delayed. There was an Unauthenticated Privilege Escalation Vulnerability in a REST API Endpoint. Previous versions of WordPress, even with the REST API Plugin, were never vulnerable to this.
The zero-day was reported on January 20th by security firm Sucuri, more particularly researcher Marc-Alexandre Montpas. Fortunately, no attackers have exploited the bug, and a fix was prepared shortly after it was reported. Nonetheless, WordPress took the time to test the issue further as it felt it was quite serious.
On the other hand, Sucuri added new rules to their Web Application Firewall so that exploit attempts were blocked. Other companies were contacted, too, to create similar rules to shield users from attacks before the update was finalized.
On Monday, while we continued to test and refine the fix, our focus shifted to WordPress hosts. We contacted them privately with information on the vulnerability and ways to protect users. Hosts worked closely with the security team to implement protections and regularly checked for exploit attempts against their users.
Eventually, the update was ready last Thursday. It’s also important to note that WordPress 4.7.x users were quickly protected via the auto update system. However, users who don’t update WordPress automatically have to do it themselves before it’s too late.