Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Many WordPress Sites Hacked via Recently Patched Flaw

The critical vulnerability disclosed last week by WordPress developers has already been exploited to hack thousands of websites, security firm Sucuri warned on Monday.

The critical vulnerability disclosed last week by WordPress developers has already been exploited to hack thousands of websites, security firm Sucuri warned on Monday.

When WordPress 4.7.2 was released on January 26, the developers of the content management system (CMS) informed users that the latest version patched three vulnerabilities, including SQL injection, cross-site scripting (XSS) and access control issues.

Roughly one week later, developers admitted that version 4.7.2 patched another flaw, described as an unauthenticated privilege escalation and content injection vulnerability affecting the REST API. The security hole allows an attacker to modify the content of any post or page on a targeted site.

The flaw, identified by researchers at Sucuri, was disclosed one week after the release of WordPress 4.7.2 to give users enough time to patch their installations. However, according to Sucuri, many WordPress websites still haven’t been updated.

Sucuri, which has tracked four different defacement campaigns, started seeing the first attacks leveraging this vulnerability less than 48 hours after disclosure.

In one of these campaigns, attackers replaced the content of more than 60,000 web pages with “Hacked by” messages. The other three operations, two of which seem to share a single IP address, have each targeted roughly 500 pages.

Hacked WordPress websites

SecurityWeek has noticed that some of the compromised websites have also been re-defaced by a fifth actor. Fortunately, some of the affected sites have already been cleaned up and updated to WordPress 4.7.2.

While these attacks appear to be carried out mostly by script kiddies looking to boost their online reputation, researchers believe the vulnerability will be increasingly exploited for search engine poisoning.

Advertisement. Scroll to continue reading.

“There’s already a few exploit attempts that try to add spam images and content to a post. Due to the monetization possibilities, this will likely be the #1 route to abuse this vulnerability,” explained Daniel Cid, CTO and founder of Sucuri.

The company’s WAF network has seen an increasing number of exploit attempts, reaching nearly 3,000 on Monday.

A recent report from Sucuri showed that more than half of the WordPress websites hijacked last year were outdated at the point of infection. By default, WordPress installations are updated automatically when a new version becomes available, but some administrators have disabled the feature, often due to concerns that the updates may break their websites.

Related: Brute Force Attacks on WordPress Websites Soar

Related: Backdoor Uploaded to WordPress Sites via eCommerce Plugin Zero-Day

Related: Recently Patched Drupal Flaw Exploited in the Wild

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.