Shhh. Serious zero-day vulnerability quietly patched, after WordPress intentionally delayed disclosure of the flaw
WordPress quietly slipped out a patch for its content management system (CMS) amid fears that attackers would exploit a very serious zero-day vulnerability.
The discovery of the flaw was made by Marc-Alexandre Montpas, a security researcher at Sucuri. WordPress was alerted to the flaw on 20 January, but didn’t initially disclose the flaw in their official update announcement “to ensure the safety of millions of additional WordPress sites.”
The WordPress platform powers at least a quarter of the 10 million most popular websites, making it a popular target for hackers.
Sucuri’s Montpas only provided details of the severe content injection (privilege escalation) vulnerability that was found in a REST API endpoint on Wednesday this week.
“This vulnerability allows an unauthenticated user to modify the content of any post or page within a WordPress site,” Montpas blogged.
“We disclosed the vulnerability to the WordPress Security Team who handled it extremely well,” said Montpas. “They worked closely with us to coordinate the disclosure timeline and get as many hosts and security providers aware and patched before this became public.”
“A fix for this was silently included on version 4.7.2 along with other less severe issues. This was done intentionally to give everyone time to patch. We are now disclosing the details because we feel there has been enough time for most WordPress users to update their sites.”
It seems that major WordPress-hosting services and web security firms offering Web Application Firewalls (WAFs) such as Cloudflare and Incapsula were apparently warned about the vulnerability ahead of this week’s public disclosure, and ahead of the release of WordPress 4.7.2 last week. This was done to help minimise the risk of attacks.
Fortunately it seems that attackers were not able to exploit this vulnerability in the wild.
For its part WordPress explained its decision to withhold details of the zero-data flaw in its official update announcement and said it was done in the ‘public industry.’
“In addition to the three security vulnerabilities mentioned in the original release post, WordPress 4.7 and 4.7.1 had one additional vulnerability for which disclosure was delayed,” blogged Aaron D. Campbell of WordPress.
“We believe transparency is in the public’s best interest,” wrote Campbell. “It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites.
He explained that Sucuri alerted WordPress of the vulnerability on 20 January, and immediately its internal security team began assessing the issue and working on solutions.
“While a first iteration of a fix was created early on, the team felt that more testing was needed,” he wrote, before WordPress officially released WordPress 4.7.2 to the world on Thursday 26 January. “The release went out over our autoupdate system and, over a couple of hours, millions of WordPress 4.7.x users were protected without knowing about the issue or taking any action at all.”
“We’d like to thank Sucuri for their responsible disclosure, as well as working with us to delay disclosure until we were confident that as many WordPress sites were updated to 4.7.2 as possible,” wrote Campbell. “As of today, to our knowledge, there have been no attempts to exploit this vulnerability in the wild.”
This is not the first time that flaws have been discovered in the WordPress platform. In 2015 Finnish researchers warned that WordPress had an unpatched vulnerability that could allow malicious code to be injected into website comments.
That same year the FBI warned of an ongoing cyber campaign by individuals sympathetic to the Islamic State in the Levant (ISIL), targeting a range of different websites, using known vulnerabilities in WordPress.
Quiz: Are you a security pro?