WordPress Notifies Users Week After Patch Released About Serious Vulnerability

WordPress informed its users on Wednesday of a serious vulnerability, which it patched along with three other vulnerabilities a week ago. The organization says it is only now informing users because the security of millions of websites was at stake.

In a blog post, WordPress’s Aaron Campbell writes that in addition to the patch for three known vulnerabilities, the update also included a fix for a fourth vulnerability last week. This was present in versions 4.7 and 4.7.1 and made it possible to remotely modify or delete the content of a WordPress page or post. According to the organization, no attempts to exploit the leak have been identified.

Campbell writes that the vulnerability report came in on January 20 and that more time was needed to work on a fix. In the course of that process, there was contact with several companies with a web application firewall, such as Cloudflare and Incapsula. This action was to ensure that fewer users were vulnerable. The organization then reached out to other WordPress hosts. By waiting another week after the patch was released, the organization wanted to give users time to update to version 4.7.2.

A researcher from the security company Sucuri discovered the leak. The researcher, Marc-Alexandre Montpas, writes that it is a serious vulnerability that allows remote privilege escalation, allowing a user to gain higher privileges. The vulnerability affects an endpoint of the REST API. According to the researcher, depending on the installed plugins, it would not be too difficult to run PHP code, for example.