Security flaw allows hackers to attack WordPress websites with ease - immediate update needed.Posted on 10 February 2017 -
Websites running versions 4.7.0 and 4.7.1 of WordPress are at risk of a severe content injection security flaw.
The zero-day vulnerability relates to the WordPress REST API, which is enabled by default on those two versions. Attackers have been able to access websites using the popular open source content management system via the API to view, edit, delete and create posts.
Thousands of websites have already been affected by the flaw, mostly in the form of SEO or advertising spam content being injected into posts. That indicates that attackers have been focusing on driving traffic to their own websites - either directly or through artificially inflated Google rankings - in order to generate revenue.
But in the case of websites using plugins with security vulnerabilities of their own, hackers have been able to execute PHP code having used the zero-day vulnerability to gain initial access to the CMS.
It is estimated that four groups of hackers working to take advantage of the security loophole have succeeded in compromising 66,000 WordPress websites so far. And with many website owners and operators still unaware of the flaw at present, that number could grow.
WordPress released version 4.7.2 on January 26. This patch fixed the zero-day vulnerability and a couple of other security issues that had been found in the previous versions.
Disappointingly, the fix was issued as a standard WordPress update with the security team not creating any great fanfare about the flaw and the urgent need to update to the new version of the CMS.
The best advice is to backup your website then immediately install the latest release. You will find the latest security update here.
If your WordPress installation is set to automatically update to the latest version, then it should already be running 4.7.2. It is worth double-checking that this is the case and, if it isn’t, do a manual update.