[Security news] Content injection vulnerability in WordPress 4.7.0/4.7.1

On the 1st of February 2017 a security vulnerabitity that allows a visitor to modify the content of a WordPress page has been dicovered.

How it works ?

An unauthenticated user can get additional rights by exploiting a vulnerability in the REST API and doing so is able to modify the content of any page of the vulnerable WordPress site.

Am i concerned ?

The REST API has been added in WordPress 4.7.0

The API allows to see/edit/delete/create an article. Thanks to a bug a visitor can do those actions.

This API has been enabled by default since added, if you use version 4.7.0 or 4.7.1 you are concerned.

How i fix this ?

A patch has been released, you can update you WordPresss to version 4.7.2 to fix the issue.

It is highly recommended to enable automatic updates on your WordPress.

Sources : sucuri.net article

Add new comment