WordPress Rest API Vulnerability Found

[Tay]

It didn't take long for the WordPress Rest API to be exploited like discussed previously (Wordpress Now Adding REST API and oEmbed Lines in the Header):

While working on WordPress, we discovered was a severe content injection (privilege escalation) vulnerability affecting the REST API. This vulnerability allows an unauthenticated user to modify the content of any post or page within a WordPress site.

Are You At Risk?

This privilege escalation vulnerability affects the WordPress REST API that was recently added and enabled by default on WordPress 4.7.0.

One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site.

The REST API is enabled by default on all sites using WordPress 4.7.0 or 4.7.1. If your website is on these versions of WordPress then it is currently vulnerable to this bug.

..

Due to this type-juggling issue, it is then possible for an attacker to change the content of any post or page on a victim’s site. From there, they can add plugin-specific shortcodes to exploit vulnerabilities (that would otherwise be restricted to contributor roles), infect the site content with an SEO spam campaign, or inject ads, etc.

Source: Content Injection Vulnerability in WordPress​

--

So if you are running wordpress, it's time to update or better yet - STOP running wordpress, things will only continue to get worse.

 

[Ryuzaki]

They forced a hot-patch update, thankfully. I'm literally done with Wordpress. I will never build another project on this CMS. It was one thing when we could turn this off. But they turned off the ability to turn it off, only for it to have been vulnerable. That's as bad as it could possibly get. They lost me forever. I may even migrate my current main project off of Wordpress, that's how disgusted I am at their betrayal. They knew better than we did and removed our ability to protect ourselves, only for them to have been wrong (of course they were).

 

[builder]

They forced a hot-patch update, thankfully. I'm literally done with Wordpress. I will never build another project on this CMS. It was one thing when we could turn this off. But they turned off the ability to turn it off, only for it to have been vulnerable. That's as bad as it could possibly get. They lost me forever. I may even migrate my current main project off of Wordpress, that's how disgusted I am at their betrayal. They knew better than we did and removed our ability to protect ourselves, only for them to have been wrong (of course they were).

Been thinking of the same thing for a while now, for my older sites.
Ah - the pain of migrating old sites versus the risk of more security breaches.

On another note, this is true for most of the third party open source frameworks. There is always a risk of known and unknown security holes.

I don't believe in using security by obscurity as the only means of defense, but writing a framework seems more and more the better option. Or at least, reusing a framework you know inside out.

 

[contract]

As much as it sucks to learn a new platform, ie flat file, etc. Wordpress is just no longer an option.

It's getting too bloated and their totalitarian approach of forcing plugins, WP branding, removing options and hard coding things people don't want into the core is out of control! All of which comes with decreased performance and security holes.

They are going the same route vBulletin went... Down the drain. There was a time when vB 3 was king. It was fast, secure, light and brilliantly coded. Almost everything you wanted, it had it. It did what a forum was supposed to do. Then came along 4 and 5 where it was coded like absolute shit, full of security holes, and realeased version after version with more than 50% of the entire code left unfinished. And all those fancy new features? Well you STILL had to use plugins... They destroyed the core itself.

Since I first started using WP I really can't name ONE update that improved the core. This is over years and years and years... The only real improvements have been by plugins, of which you can pick and choose what YOU want. Not what some WP cunt who runs a 100 visitor a month blog and thinks he's hot shit, says this is what you want. Not what some WP dev who's only blog is a personal one, and thinks he knows the "industry" because he's a techy.

It's a big hassle to migrate to something else, but I believe in the future there will be options. Someone will come along and streamline it to where it's a 5 min process and not an expensive, 5 day and beyond intensive transfer or w/e.

I'm amazed they KNEW this type of shit was hacked in the past! Yet, they STILL brushed it off and decided to do it again. Truly a WTF moment! This isn't a hacker putting in serious work or a one off deal. This is Wordpress being careless and wreckless.

At this rate things are only going to get worse. Which is a shame, Wordpress was such a great platform... But with every update the direction that ship is sailing is clear... And well, it's not looking good.

It's interesting to see this pattern play out from VB and now to WP. The cycle just continues.

 

[Vert]

They lost me forever. I may even migrate my current main project off of Wordpress, that's how disgusted I am at their betrayal.

And what could be a good alternative to WordPress?

 

[turbin3]

Hugo + some sort of JS for functionality and interactivity (or Sumome or whatever third part JS-based lead gen stuff you want)