Security Experts:

Connect with us

Hi, what are you looking for?



Many WordPress Sites Hacked via Recently Patched Flaw

The critical vulnerability disclosed last week by WordPress developers has already been exploited to hack thousands of websites, security firm Sucuri warned on Monday.

The critical vulnerability disclosed last week by WordPress developers has already been exploited to hack thousands of websites, security firm Sucuri warned on Monday.

When WordPress 4.7.2 was released on January 26, the developers of the content management system (CMS) informed users that the latest version patched three vulnerabilities, including SQL injection, cross-site scripting (XSS) and access control issues.

Roughly one week later, developers admitted that version 4.7.2 patched another flaw, described as an unauthenticated privilege escalation and content injection vulnerability affecting the REST API. The security hole allows an attacker to modify the content of any post or page on a targeted site.

The flaw, identified by researchers at Sucuri, was disclosed one week after the release of WordPress 4.7.2 to give users enough time to patch their installations. However, according to Sucuri, many WordPress websites still haven’t been updated.

Sucuri, which has tracked four different defacement campaigns, started seeing the first attacks leveraging this vulnerability less than 48 hours after disclosure.

In one of these campaigns, attackers replaced the content of more than 60,000 web pages with “Hacked by” messages. The other three operations, two of which seem to share a single IP address, have each targeted roughly 500 pages.

Hacked WordPress websites

SecurityWeek has noticed that some of the compromised websites have also been re-defaced by a fifth actor. Fortunately, some of the affected sites have already been cleaned up and updated to WordPress 4.7.2.

While these attacks appear to be carried out mostly by script kiddies looking to boost their online reputation, researchers believe the vulnerability will be increasingly exploited for search engine poisoning.

“There’s already a few exploit attempts that try to add spam images and content to a post. Due to the monetization possibilities, this will likely be the #1 route to abuse this vulnerability,” explained Daniel Cid, CTO and founder of Sucuri.

The company’s WAF network has seen an increasing number of exploit attempts, reaching nearly 3,000 on Monday.

A recent report from Sucuri showed that more than half of the WordPress websites hijacked last year were outdated at the point of infection. By default, WordPress installations are updated automatically when a new version becomes available, but some administrators have disabled the feature, often due to concerns that the updates may break their websites.

Related: Brute Force Attacks on WordPress Websites Soar

Related: Backdoor Uploaded to WordPress Sites via eCommerce Plugin Zero-Day

Related: Recently Patched Drupal Flaw Exploited in the Wild

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.