Critical WordPress REST API Vulnerability

February 1, 2017 in SiteLock News
This article was co-authored by Security Researchers Gregory Bloom and Wyatt Morgan from SiteLock Research.

As you may have heard by now, WordPress 4.7.2 has arrived! This emergency patch was released by the diligent WordPress contributors following the discovery of a rather nasty vulnerability in the new WordPress REST API functionality. The WordPress REST API vulnerability that was discovered allowed for unauthenticated privilege escalation, which in layman’s terms means it’s potentially harmful as it could allow an adversary to gain unauthorized administrator privileges to any post on most WordPress websites running versions 4.7 or 4.7.1.

Is my website protected?

If you have applied WordPress patch 4.7.2, the vulnerability is no longer present. Based on the information we’ve gathered, if you have disabled the REST API (enabled by default), you are not affected by the vulnerability.

Additionally, for SiteLock TrueShield™ customers, we applied a virtual patch shortly after the issue was identified on January 21st. This virtual patch has protected all WordPress websites in the SiteLock network from this exploit since application. Nevertheless, we strongly advise that anyone still running WordPress v4.7 or 4.7.1 to apply the most recent WordPress update immediately.

What is the REST API?

WordPress REST API

The Representational State Transfer Application Programming Interface, or REST API, is a newer, lightweight way for developers to connect WordPress with other applications. REST API was introduced as a default feature in WordPress version 4.7, and is used in a number of plugins and themes. The REST API gives developers a more uniform method of external communication. Much like the introduction of the universal serial bus (USB) in computers, in which communication often required several cumbersome adapters, the REST API has become the status quo. In the ever-changing web landscape, the REST API is very beneficial to WordPress users and the future of WordPress.

What is SiteLock doing to protect me from issues like this?

SiteLock and the WordPress Security Team continue to maintain a close relationship by collaborating on security intelligence for the benefit of all WordPress users. In cases like this, in which a WordPress security patch is developed to prevent an exploit, SiteLock and the WordPress Security Team share advanced warnings with each other and quietly put additional security measures in place while the code for a patch is developed. This helps both parties to protect as many WordPress users as possible before the public release of the patch. Relax. We’ve got your back!

SiteLock Website Security and WordPress

SiteLock wishes to give a very special thank you to the WordPress Security Team, for their vigilance and continued communication throughout the process of investigating and mitigating this threat for the benefit of all WordPress users. The security team serve as models for good citizenship in the WordPress Community.

To learn more the services that SiteLock offers to protect websites, visit our WordPress Security website, The District.

Latest Articles
Follow SiteLock