Content Injection Vulnerability In WordPress REST API

  • Source:Sangfor Security Center
  • Date Published:2017-02-13
#

Summary

    

    During the Chinese spring festival, a severe content injection vulnerability was discovered in WordPress. This vulnerability allows an unauthorized user to inject malicious content and modify the content of any post or page within a WordPress site. 

    

    DEFINITION FROM QIANLI ENCYCLOPEDIA

    REST API is added and enabled by default on WordPress 4.7.0. This vulnerability allows an unauthorized user to have access(via REST API) to edit the posts, including editing date, title, author, content, etc.

    

    

    IMPACTS 

    WordPress is one of the most widely used systems in building websites. The REST API is enabled by default on all sites using WordPress 4.7.0 or 4.7.1. If your site is on these versions of WordPress, then it is currently vulnerable to this bug. This bug is fixed in WordPress 4.7.2. Statistics from the official website of WordPress show that WordPress 4.7 is widely used by more than 32.6 million users. 

    blob.png

    Vulnerability Details Content Injection Vulnerability In WordPress REST API

    SOLUTION

    1.The bug is fixed in WordPress 4.7.2. Download link: https://cn.wordpress.org/; 

    2.For Sangfor NGAF customers, update the IPS and WAF to version 20170207 or above.