A vulnerability in WordPress’ Rest API has been exploited by up to 20 hackers, which has impacted 1.5 million WordPress sites. Majority of these attacks occurred after WordPress disclosed the vulnerability. The vulnerability allows “unauthenticated attackers to modify the content of any post or page within a WordPress site.” Before WordPress publicly disclosed the vulnerability, they patched the issue in a Jan. 26 fix, however, a large amount of sites do not automatically install these patches, as administrators want to test the code before installing. As a result, after WordPress publicly disclosed the issue, the attackers were in a rush to impact as many vulnerable sites as possible, resulting in up to 800k sites to be violated in only 48 hrs. Although there are efforts by the web servers to block or filter the attacks, ultimately, if the a WordPress site is not updated to the latest release, it will continue being vulnerable.
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
This is a type of vulnerability that can be exploited with Burp Suite. This tool can be utilized to launch a similar style of attack, but to a certain extent. Using proper techniques that I won’t reveal here, a fake account can be created to sign-into a website without real credential information being stored in the website’s database server. This is the reason it is encouraged for web platforms to hire pen testers periodically.