WordPress 4.7 vulnerabilities – update now to avoid hack

I was recently alerted by a client about a hack that was a result of running WordPress version 4.7.  This particular instance was a pretty harmless hack, which was identified as a defacement (MW:DEFACED:01) “generally done for fun, political reasons and by script kiddies.” A blog post was edited with the text “Hacked by Imam” overwriting the original content of the post. Searching for the hack message on the Internet turned up 1000’s of results, and after little research I learned that it was hacked because of a WordPress vulnerability.

WordPress 4.7 release was a major milestone bringing many new features and one that has many developers very excited.  WordPress is now a REST API (also known as JSON API) which makes if a fully-fledged application framework.  This means that you can use WordPress to build applications.  However, a severe content injection vulnerability has been discovered in the REST API that allows unauthenticated users to modify the content of any post or page within WordPress. An update patch was released to fix the vulnerability. If you haven’t updated yet, you should do so immediately.

More details on the security patch and vulnerabilities: WordPress 4.7.2 Security Release

Other than the found vulnerabilities in the new WordPress version, the REST API could have other potential vulnerabilities because it exposes some sensitive data that hacks can use to exploit your site, including user names.

Rest API JSON Response Using Postman
Rest API JSON Response Using Postman

 

If you’re not using the REST API, it’s recommended that you disable it, which you can easily do so by installing this plugin Disable REST API.

WordPress REST API vulnerabilities
JSON response from domain.com/wp-json/wp/v2/user using web browser

How Do I know the REST API is Enabled?

You can tell that the REST API is enabled by looking at your site in a browser.  After the URL, append “/wp-json/wp/v2.  So an example would be http://example.com/wp-json/wp/v2

If you see a bunch of text, which is actually a JSON string, then it’s enabled.  Otherwise you should see the following text.

{"code":"rest_disabled","message":"The REST API is disabled on this site."}

Conclusion

WordPress 4.7 has some vulnerabilities, and there’re two simple things you should do to remedy them.  First, make sure you’re running the latest version of WordPress (4.7.2 at time of this writing), and that you disable the REST API.

References:

First we need a little information about your project, and then we'll follow up with a phone or Zoom call to get more details to be able to provide you with a quote.