edit-icon download-icon

[Vulnerability notice] REST API content injection and privilege escalation vulnerability in WordPress

Last Updated: Apr 18, 2018

WordPress is a free and open-source blogging software and content management system based on PHP and MySQL. It has a minimum of 18 million website users. The functionality of the REST API plug-in is integrated into WordPress 4.7.0 and later versions, which raises security issues.

Marc-Alexandre Montpas, a researcher in the security company Sucuri, detected the WordPress REST API content injection and privilege escalation vulnerability on January 22, 2017 and informed WordPress of the vulnerability. WordPress urgently fixed the vulnerability and released a security update on January 26, 2017.

See the following for more information about the vulnerability.


CVE identifier

None

Vulnerability name

WordPress REST API content injection and privilege escalation vulnerability

Vulnerability rating

High

Vulnerability description

The functionality of the original REST API plug-in is integrated into WordPress 4.7.0 and later versions and is enabled by default. If you use non-plain mode, the following information appears on the WordPress website homepage:

  1. <link rel="https://api.w.org/" href="http://www.xxx.com/wp-json/">

From this message, the WordPress REST API address http://xxx.com/wp-json/ can be obtained.

Using the API’s GET and POST requests, attackers can inject malicious content into the server, escalate privilege, and even modify the content of articles, pages, and so on. In severe cases, sensitive data may leak.

Affected scope

  • WordPress 4.7.0
  • WordPress 4.7.1

How to fix or mitigate

Upgrade to the official release 4.7.2 or later. Click to download WordPress 4.7.2

Reference

[1]. https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
[2]. https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
[3]. http://v2.wp-api.org/

Thank you! We've received your feedback.