Content Injection Vulnerability In WordPress REST API
- Source:Sangfor Security Center
- Date Published:2017-02-13
During the Chinese spring festival, a severe content injection vulnerability was discovered in WordPress. This vulnerability allows an unauthorized user to inject malicious content and modify the content of any post or page within a WordPress site.
DEFINITION FROM QIANLI ENCYCLOPEDIA
REST API is added and enabled by default on WordPress 4.7.0. This vulnerability allows an unauthorized user to have access(via REST API) to edit the posts, including editing date, title, author, content, etc.
WordPress is one of the most widely used systems in building websites. The REST API is enabled by default on all sites using WordPress 4.7.0 or 4.7.1. If your site is on these versions of WordPress, then it is currently vulnerable to this bug. This bug is fixed in WordPress 4.7.2. Statistics from the official website of WordPress show that WordPress 4.7 is widely used by more than 32.6 million users.
Vulnerability Details Content Injection Vulnerability In WordPress REST API
1.The bug is fixed in WordPress 4.7.2. Download link: https://cn.wordpress.org/；
2.For Sangfor NGAF customers, update the IPS and WAF to version 20170207 or above.