​Patch “severe” WordPress REST API bug now, warn experts

Anyone running a website using WordPress 4.7 and later should immediately apply an update to close a serious remotely exploitable bug.

WordPress released 4.7.2 last week but deferred disclosing details of one extra bug affecting the WordPress REST API, which was enabled by default in in the January release of WordPress 4.7.

WordPress is by far the most popular content management system and as such is a popular target for hackers. The REST API enables the WordPress site to become a web service, by allowing other devices and websites to retrieve data from the site in a machine readable format.

A security researcher at Sucuri however discovered the REST API contained a content injection privilege escalation flaw stemming from a programming feature called “type juggling”, which can be abused to allow an attacker to modify any post or page within a WordPress site.

"One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site," explained Sucuri researcher Marc-Alexandre Montpas.

While the impact could be limited to a website defacement, the flaw can lead to remote code execution via a WordPress plugin the attacker would normally not have access to.

“This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site. Update now!,” Sucuri warned.

WordPress maintainers also urged users to update immediately, explaining that it delayed disclosing the issue by a week to give users time to update.

Prior to last week’s patch, WordPress says it had asked Web Application Firewall firms, including SiteLock, Clouflare, and Incapsula to add a set of rules to block any possible attacks. It has also worked with WordPress hosting sites to fix the flaw at their end, and advised Akamai, which on Monday confirmed it had not seen any attempt to exploit this vulnerability prior to last week’s patch.

Read more: ​A new gadget can give phones a self-destruct option

“We can confirm that although we have seen a few probes for WP Web API endpoints that have non-integer values, we have not seen any indications of exploit attempts for this vulnerability,” said Ryan Barnett, Principal Security Researcher on Akamai's Threat Research Team.

“We will continue, however, to monitor for related traffic once this vulnerability is made public and will report back a status in the near future."

Akamai, which has a full technical write up on the flaw, says the bug is critical for WordPress users to fix since it is remotely exploitable, doesn’t require the use be authenticated, while attacks can easily be automated with scripts.

Tags patchWordpress

Show Comments