alphaspirit - Fotolia
WordPress waited to reveal that it patched a REST API endpoint vulnerability in an attempt to allow time for sites to update. However, since its announcement, 1.5 million sites have been attacked. What is the vulnerability, and how can enterprises secure their WordPress pages?
On Jan. 20, security company Sucuri alerted the WordPress core development team of an unauthenticated privilege escalation vulnerability in a Representational State Transfer (REST) API endpoint that enabled an attacker to modify content on a site running WordPress, an open source content management system platform.
On Jan. 26, WordPress released version 4.7.2, which contained a security fix for the vulnerability. However, the company did not immediately announce the fix, hoping its auto-update mechanism would update vulnerable sites before the issue was made public and hackers became aware of the WordPress REST API vulnerability. Automatic background updates were introduced in WordPress 3.7 to promote better security and to streamline the update experience.
Sucuri added rules to its web application firewall to block exploit attempts, while the WordPress team also worked with several security companies, such as SiteLock, Cloudflare and Incapsula, to create a set of rules that could protect more users.
Despite these steps, over 1.5 million sites were attacked using this specific WordPress REST API vulnerability. In some cases, defaced pages were defaced again by a different attacker. The security risk of the vulnerability is considered severe, while the exploitation level is easy/remote.
This privilege escalation vulnerability affects the WordPress REST
Due to weaknesses in the sanitization of the ID parameter sent to /wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php, an attacker can craft a parameter to gain edit rights to change any post on the site. It's possible for a malformed alphanumeric post ID to pass the update_item_permissions_check method used by the update_item function.
As PHP performs type comparisons and conversions by type-juggling, WordPress casts the ID parameter to an integer before passing it to the get_post method, removing any alphanumeric characters and, therefore, passing a valid ID value. This means a valid request to view a post with an ID of 123 (/wp-json/wp/v2/posts/123) could be changed to /wp-json/wp/v2/posts/123?id=456
Most WordPress REST API attacks appear to have taken the form of defaced posts and pages on victim sites, but it could be possible to infect sites with a search engine optimization spam campaign, ad injection and so on. Depending on which plug-ins are installed on a site, an attacker could gain remote command execution capabilities. Site administrators should upgrade to version 4.7.2 of WordPress, if they haven't already done so, and update their firewall rules to protect against the attack. If a site has already been attacked, it will also be necessary to restore content on the compromised pages and posts.
WordPress has a mature security community and established ways of finding vulnerabilities and deploying fixes, but it is important for WordPress administrators to keep abreast of security news. Something as powerful as REST API functionality should not have been turned on by default, particularly as it won't be needed by the majority of WordPress sites. One option is to install the Disable REST API plug-in to make sure that the REST API isn't available as a potential attack vector.
Find out the steps to creating a successful RESTful API
Compare the leading API management platforms
Learn if your enterprise can benefit from using a WordPress content management system
Dig Deeper on Web application and API security best practices
Related Q&A from Michael Cobb
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading
WhatsApp vulnerabilities can enable hackers to bypass end-to-end encryption and spoof messages. Expert Michael Cobb explains how these attacks work ... Continue Reading
Disabling Google location tracking involves more than turning off Location History. Learn how to manage your account settings to stop tracking ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.