WordPress released a security update on Tuesday that patched a half-dozen bugs, including one that could be chained with the recent REST API Endpoint flaw that led to a million website defacements. Given that the bug was introduced in WordPress 4.7 and the availability of a patch that backports fixes to all previous versions, it’s likely the impact of this bug is limited.
The REST API vulnerability was silently patched in version 4.7.2, yet there are apparently at least one million sites that don’t have automatic updates enabled and were attacked by hackers. The defacements came quickly after the Jan. 27 release of 4.7.2 and disclosure of the issue, as hackers took advantage of unpatched sites to leave behind defacements pointing to spam and phishing sites such as rogue pharmaceutical solicitations.
According to WordPress statistics, 44.8 percent of sites are on at least version 4.7. All patches are backported to when WordPress began its automatic update service in version 3.7. According to WordPress, the most recent release of 4.7.3 coincided with the release of 3.7.19, 3.8.19, 3.9.17, 4.0.16, 4.1.16, 4.2.13, 4.3.9, 4.4.8, 4.5.7, and 4.6.4 with the relevant security issues patched in each. This leaves only those on versions 3.6 and earlier vulnerable to any known issues, WordPress said.
Yesterday’s 4.7.3 update included a fix for a cross-site scripting vulnerability privately disclosed by researchers at Sucuri, who also found the REST API bug. Marc Montpas, a researcher with Sucuri, said the new XSS vulnerability was found during research on the REST API flaw and could be triggered by a URL included in YouTube embeds. Montpas said the vulnerability could be exploited by users with certain privileges such as contributors or authors. An attacker could insert malicious short codes in a post that would bypass cross-site scripting protections native to WordPress.
“When an administrator visits the affected post, the XSS payload will execute and may force his browser to perform administrative actions on his behalf, like storing backdoors on the site and creating new administrator accounts,” Montpas told Threatpost. “This vulnerability alone isn’t very risky, because it requires the attacker to have very specific privileges on the site. But combined with the REST API vulnerability we found last month, which basically allowed any visitor to edit a site’s posts, it could have caused quite a mayhem.”
The REST API vulnerability allows an attacker with one line of exploit code to access the API and change site content and URL permalinks. The issue lies in the way the REST API manages access. It does so by favoring values such as GET and POST rather than existing values. Any request with letters in its ID would bypass a permission check and essentially grant an attacker admin privileges.
Researchers at SiteLock said that about 20 different hackers were trying to monetize the defacements with links to rogue pharmaceutical websites.
The REST API endpoint vulnerability was introduced in WordPress 4.7 in December, and silently patched on January because of its severity. Since WordPress is packaged with automatic updates turned on by default, most installations are updated and secured. Those that have disabled the feature, or any updates that failed, remain vulnerable.
Another cross-site scripting vulnerability that was patched yesterday, one that could be exploited through media file metadata, was originally reported by researcher Chris Andre Dale in December 2014. Researcher Yorick Koster reported the bug again to WordPress which discovered that the original patch only partially addressed the issue, said Aaron Campbell, recently appointed as WordPress’ new lead of security triage and resolution.
“What would happen is that an administrator or author would upload my picture, and I would then have my JavaScript running 100 percent stealthy in their browser,” Dale told Threatpost. His original disclosure explained how an attacker could embed a cross-site scripting payload into image metadata, EXIF data JPEG.
The remainder of the 4.7.3 update addressed another bug reported by student researcher Daniel Chatfield who disclosed that control characters could trick redirect URL validation. Also patched was an issue where unintended files could be deleted by a site admin using the plugin deletion functionality. Separate cross-site scripting (via taxonomy term names) and cross-site request forgery (in Press This which could exhaust server resources) vulnerabilities were also patched.
This article was updated March 8 with new information regarding the impact of the REST API Endpoint vulnerability.