WordPress released a security update on Tuesday that patched a half-dozen bugs, including one that could be chained with the recent REST API Endpoint flaw that led to a million website defacements. Given that more than half of WordPress sites are still not protected against that flaw, odds are that we haven’t heard the last of that vulnerability.
The REST API vulnerability was silently patched in version 4.7.2, yet there are apparently at least one million sites that don’t have automatic updates enabled and were attacked by hackers. The defacements came quickly after the Jan. 27 release of 4.7.2 and disclosure of the issue, as hackers took advantage of unpatched sites to leave behind defacements pointing to spam and phishing sites such as rogue pharmaceutical solicitations.
According to WordPress statistics, 44.8 percent of sites are on at least version 4.7, meaning that the remainder are exposed to a litany of vulnerabilities addressed in older versions.
Yesterday’s 4.7.3 update included a fix for a cross-site scripting vulnerability privately disclosed by researchers at Sucuri, who also found the REST API bug. Marc Montpas, a researcher with Sucuri, said the new XSS vulnerability was found during research on the REST API flaw and could be triggered by a URL included in YouTube embeds. Montpas said the vulnerability could be exploited by users with certain privileges such as contributors or authors. An attacker could insert malicious short codes in a post that would bypass cross-site scripting protections native to WordPress.
“When an administrator visits the affected post, the XSS payload will execute and may force his browser to perform administrative actions on his behalf, like storing backdoors on the site and creating new administrator accounts,” Montpas told Threatpost. “This vulnerability alone isn’t very risky, because it requires the attacker to have very specific privileges on the site. But combined with the REST API vulnerability we found last month, which basically allowed any visitor to edit a site’s posts, it could have caused quite a mayhem.”
The REST API vulnerability allows an attacker with one line of exploit code to access the API and change site content and URL permalinks. The issue lies in the way the REST API manages access. It does so by favoring values such as GET and POST rather than existing values. Any request with letters in its ID would bypass a permission check and essentially grant an attacker admin privileges.
Researchers at SiteLock said that about 20 different hackers were trying to monetize the defacements with links to rogue pharmaceutical websites.
The REST API endpoint vulnerability was introduced in WordPress 4.7 in December, and silently patched on January because of its severity. Since WordPress is packaged with automatic updates turned on by default, most installations are updated and secured. Those that have disabled the feature, or any updates that failed, remain vulnerable.
Another cross-site scripting vulnerability that was patched yesterday, one that could be exploited through media file metadata, was originally reported by researcher Chris Andre Dale in December 2014. Researcher Yorick Koster reported the bug again to WordPress which discovered that the original patch only partially addressed the issue, said Aaron Campbell, recently appointed as WordPress’ new lead of security triage and resolution.
The remainder of the 4.7.3 update addressed another bug reported by student researcher Daniel Chatfield who disclosed that control characters could trick redirect URL validation. Also patched was an issue where unintended files could be deleted by a site admin using the plugin deletion functionality. Separate cross-site scripting (via taxonomy term names) and cross-site request forgery (in Press This which could exhaust server resources) vulnerabilities were also patched.