For all you WordPress admins out there, now would be the time to ensure your WordPress engine has updated from version 4.7.1 to 4.7.2. The Hacker News has reported in late January that WordPress has patched three security flaws that let remote unauthorized hackers to modify the content of any post or page within the site.
“The nasty bug resides in WordPress REST API that would lead to the creation of two new vulnerabilities: Remote privilege escalation and Content injection bugs.”
Marc-Alexandre Montpas of Sucuri Security first reported this to the WordPress security team who handled the matter very well by releasing a patch, but not disclosing details about the flaw in an effort to keep hackers away from exploiting the bug before millions of websites implement the patch.
“This privilege escalation vulnerability affects the WordPress REST API,” Montpas writes in a blog post. “One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site.”
WordPress does have a feature to allow security patches of this kind to be implemented automatically, but not all admins have the feature enabled. It’s our recommendation you enable this feature to get patches of this kind when first released to ensure the security of your WordPress website. For those who have you to install the patch, you can find it here.
For a more technical explanation about the vulnerability, or how you can best secure your WordPress website, please feel free to contact us either through email or by calling (508) 453-4700.