A patched zero-day vulnerability is at fault, but webmasters are not paying attention to updates.
Thousands of WordPress domains have been subject to attack through a severe content injection security flaw that many website operators have failed to protect themselves against.
The security flaw, a zero-day vulnerability that affects the WordPress REST API, allows attackers to modify the content of posts or pages within a website backed by the WordPress content management system (CMS).
As noted by cybersecurity firm Sucuri, one of the REST endpoints allows access via the API to view, edit, delete, and create posts.
“Within this particular endpoint, a subtle bug allows visitors to edit any post on the site,” the company says. “From there, they [attackers] can add plugin-specific shortcodes to exploit vulnerabilities (that would otherwise be restricted to contributor roles), infect the site content with an SEO spam campaign, or inject ads.”
Depending on the plugins already installed, it could also be possible for attackers to execute PHP code.
The WordPress security team silently included a fix for the zero-day vulnerability in the latest 4.7.2 release, issued on Jan. 26. The patch also fixed a number of other issues, including an SQL injection flaw and a cross-site scripting (XSS) vulnerability.
However, it seems that a number of webmasters have not kept up-to-date with their patch schedules. According to Sucuri, two weeks after the update was released to the public, evidence has emerged of attackers taking advantage of vulnerable websites in defacement campaigns.
Multiple public exploits have been shared online and over 66,000 WordPress websites have been compromised by four different groups. The researchers say they have spotted the same IP addresses and defacers “hitting almost every one of our honeypots and network.”
In one campaign, Google alone shows that thousands of websites have been compromised.
However, the three other campaigns are thankfully not so successful, with around 1,000 websites showing unauthorized messages and evidence of being defaced. Sucuri believes all the campaigns are focused on SEO spam (Search Engine Poisoning) and have noted a few attempts to add spam images and contents to posts — which, in turn, can earn these groups money.
The REST API is enabled by default on all sites using WordPress 4.7.0 or 4.7.1. If you are running these versions of the CMS, you are vulnerable to this attack.
However, if you have automatic updates installed and are running WordPress version 4.7.2, you are protected against the zero-day vulnerability. If not, you are advised to manually update as soon as possible — or run the risk of your domain joining the list of defaced websites.