WordPress Quietly Fixes Zero-Day Flaw

WordPress quietly slipped out a patch for its content management system (CMS) amid fears that attackers would exploit a very serious zero-day vulnerability.

The discovery of the flaw was made by Marc-Alexandre Montpas, a security researcher at Sucuri. WordPress was alerted to the flaw on 20 January, but didn’t initially disclose the flaw in their official update announcement “to ensure the safety of millions of additional WordPress sites.”

The WordPress platform powers at least a quarter of the 10 million most popular websites, making it a popular target for hackers.

Stealthy Update

Sucuri’s Montpas only provided details of the severe content injection (privilege escalation) vulnerability  that was found in a REST API endpoint on Wednesday this week.

“This vulnerability allows an unauthenticated user to modify the content of any post or page within a WordPress site,” Montpas blogged.

“We disclosed the vulnerability to the WordPress Security Team who handled it extremely well,” said Montpas. “They worked closely with us to coordinate the disclosure timeline and get as many hosts and security providers aware and patched before this became public.”

“A fix for this was silently included on version 4.7.2 along with other less severe issues. This was done intentionally to give everyone time to patch. We are now disclosing the details because we feel there has been enough time for most WordPress users to update their sites.”

It seems that major WordPress-hosting services and web security firms offering Web Application Firewalls (WAFs) such as Cloudflare and Incapsula were apparently warned about the vulnerability ahead of this week’s public disclosure, and ahead of the release of WordPress 4.7.2 last week. This was done to help minimise the risk of attacks.

Fortunately it seems that attackers were not able to exploit this vulnerability in the wild.

WordPress Explanation

For its part WordPress explained its decision to withhold details of the zero-data flaw in its official update announcement and said it was done in the ‘public industry.’

“In addition to the three security vulnerabilities mentioned in the original release post, WordPress 4.7 and 4.7.1 had one additional vulnerability for which disclosure was delayed,” blogged Aaron D. Campbell of WordPress.

“We believe transparency is in the public’s best interest,” wrote Campbell. “It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites.

He explained that Sucuri alerted WordPress of the vulnerability on 20 January, and immediately its internal security team began assessing the issue and working on solutions.

“While a first iteration of a fix was created early on, the team felt that more testing was needed,” he wrote, before WordPress officially released WordPress 4.7.2 to the world on Thursday 26 January. “The release went out over our autoupdate system and, over a couple of hours, millions of WordPress 4.7.x users were protected without knowing about the issue or taking any action at all.”

“We’d like to thank Sucuri for their responsible disclosure, as well as working with us to delay disclosure until we were confident that as many WordPress sites were updated to 4.7.2 as possible,” wrote Campbell. “As of today, to our knowledge, there have been no attempts to exploit this vulnerability in the wild.”

This is not the first time that flaws have been discovered in the WordPress platform. In 2015 Finnish researchers warned that WordPress had an unpatched vulnerability that could allow malicious code to be injected into website comments.

That same year the FBI warned of an ongoing cyber campaign by individuals sympathetic to the Islamic State in the Levant (ISIL), targeting a range of different websites, using known vulnerabilities in WordPress.

Quiz: Are you a security pro?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

21 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

22 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

23 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago