WordPress is a free and open-source blogging software and content management system based on PHP and MySQL. It has a minimum of 18 million website users. The functionality of the REST API plug-in is integrated into WordPress 4.7.0 and later versions, which raises security issues.
Marc-Alexandre Montpas, a researcher in the security company Sucuri, detected the WordPress REST API content injection and privilege escalation vulnerability on January 22, 2017 and informed WordPress of the vulnerability. WordPress urgently fixed the vulnerability and released a security update on January 26, 2017.
See the following for more information about the vulnerability.
WordPress REST API content injection and privilege escalation vulnerability
The functionality of the original REST API plug-in is integrated into WordPress 4.7.0 and later versions and is enabled by default. If you use non-plain mode, the following information appears on the WordPress website homepage:
<link rel="https://api.w.org/" href="http://www.xxx.com/wp-json/">
From this message, the WordPress REST API address
http://xxx.com/wp-json/ can be obtained.
Using the API’s GET and POST requests, attackers can inject malicious content into the server, escalate privilege, and even modify the content of articles, pages, and so on. In severe cases, sensitive data may leak.
- WordPress 4.7.0
- WordPress 4.7.1
How to fix or mitigate
Upgrade to the official release 4.7.2 or later. Click to download WordPress 4.7.2