WordPress has revealed the details of a critical privilege escalation vulnerability that the company fixed in a security release last week. The bug was part of a major upgrade for WordPress, but the details of the flaw hadn’t come out until now because the company was working with hosting providers and security firms to put protection in place.
The vulnerability is in the REST API plugin and researchers at Sucuri discovered it and notified WordPress about it on Jan. 20. The company’s security team began writing a patch for the flaw and then started getting in touch with security companies and hosts to alert them to the issue and give them some time to implement rules to protect their customers.
“Over the weekend, we reached out to several other companies with WAFs including SiteLock, Cloudflare, and Incapsula and worked with them to create a set of rules that could protect more users. By Monday, they had put rules in place and were regularly checking for exploit attempts in the wild,” Aaron Campbell, a WordPress Core contributor, wrote in an analysis of the bug and response.
“On Monday, while we continued to test and refine the fix, our focus shifted to WordPress hosts. We contacted them privately with information on the vulnerability and ways to protect users. Hosts worked closely with the security team to implement protections and regularly checked for exploit attempts against their users.”
A couple of days later, the hosting providers and security companies involved in the response had implemented their protections and reported that they hadn’t seen any exploits against the vulnerability. Although WordPress released an update on Jan. 26, which included a fix for the REST API flaw, as well as three other security patches, it didn’t disclose the details of the bug until this week to prevent giving information to attackers.
“Earlier this week we rolled out two rules to protect against exploitation of this issue (both types mentioned in the Sucuri blog post). We have been monitoring the situation and have not observed any attempts to exploit this vulnerability before it was announced publicly,” Ben Cartwright-Cox of CloudFlare said.
The vulnerability is fixed in WordPress 4.7.2. Marc-Alexandre Montpas of Sucuri discovered the bug as part of a larger project the company is doing to identify vulnerabilities in open source applications.
“While working on WordPress, we discovered was a severe content injection (privilege escalation) vulnerability affecting the REST API. This vulnerability allows an unauthenticated user to modify the content of any post or page within a WordPress site,” Montpas said.
Image: Sean MacEntee, CC By license.