To Customer Support To Customer Support

Zero-day Injection Vulnerability found in WordPress

  • 2 February 2017
  • 2 replies
  • 1 view
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54
This has bee a big one which was kept quiet until it was fixed but anybody who uses it with automatic updates turned must update ASAP!.
 
February 2, 2017  By Pierluigi Paganini
 

A new dangerous Zero-day Content Injection vulnerability has been discovered in the WordPress CMS, it affects the WordPress REST API.

 
A new dangerous vulnerability has been discovered in the WordPress CMS, it is a zero-day content injection flaw in the WordPress REST API.
 
The vulnerability discovered by a security researcher at firm Sucuri could be exploited by an unauthenticated attacker to inject malicious content as well as for privilege escalation.
 
The attacker could exploit the zero-day content injection vulnerability to modify posts, pages, as well any other content.
 
Experts from Sucuri have worked with the WordPress development team that fixed the zero-day content injection vulnerability in the last release 4.7.2.
 
Full Article

2 replies

Jasper_The_Rasper
Rank
Userlevel 7
Badge +54
February 7, 2017  By Pierluigi Paganini
 

According to experts at the security firm Sucuri, a critical content injection flaw in WordPress recently disclosed has already been exploited to deface thousands of websites.

 
Recently a critical vulnerability has been discovered in the WordPress CMS, it is a zero-day content injection flaw that affects the WordPress REST API.
 
The bad news is that many WordPress websites still haven’t been updated leaving the installation open to the attacks.
Experts from Sucuri reported first attacks leveraging the above vulnerability less than 48 hours after its disclosure.
“In less than 48 hours after the vulnerability was disclosed, we saw multiple public exploits being shared and posted online. With that information easily available, the internet-wide probing and exploit attempts began.” states a report published by Sucuri.
 
Full Article
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54
It is urgent that site owners get their Wordpress programs updated ASAP!!!!!
 

It’s all fun and games until someone executes malicious code. That may be next.

 
                 


 
Dan Goodin (US) - 11/2/2017
 
Attacks on websites running an outdated version of WordPress are increasing at a viral rate. Almost 2 million pages have been defaced since a serious vulnerability in the content management system came to light nine days ago. The figure represents a 26 percent spike in the past 24 hours.
 
A rogues' gallery of sites have been hit by the defacements. They include conservative commentator Glenn Beck's glennbeck.com, Linux distributor Suse's news.opensuse.org, the US Department of Energy-supported jcesr.org, the Utah Office of Tourism's travel.utah.gov, and many more. At least 19 separate campaigns are participating and, in many cases, competing against each other in the defacements. Virtually all of the vandalism is being carried out by exploiting a severe vulnerability WordPress fixed in WordPress version 4.7.2, which was released on January 26. In an attempt to curb attacks before automatic updates installed the patch, the severity of the bug—which resides in a programming interface known as REST—wasn't disclosed until February 1.
 
Full Article

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.