February 1, 2017

WordPress Content Injection Vulnerability – Update Immediately

by blackbird

If you are not running WordPress 4.7.2, go to your website and update immediately before finishing this post.

WordPress version(s) effected: 4.7.0+

Patched in version: 4.7.2

Severity: EXTREME

About the Vulnerability

Any person or bot with the ability to visit public endpoints can add content to any post or page using only the REST API. The attacker does not have to be logged in to accomplish any content injection. 

The vulnerability was discovered by Sucuri Team and reported to the WordPress team. A patch was pushed in the latest version of WordPress (4.7.2).

What should you do

You should update WordPress to version 4.7.2. If you have disabled your “Auto Updates” for WordPress, now is a good time to re-enable them. If you are not able to update your WordPress site, contact us and we can provide assistance.