Vulnerabilities in out-of-date WordPress websites

It’s no secret that building a platform like WordPress is a complex ordeal. It’s a constant race between developers finding holes and plugging them and hackers finding holes and exploiting them. We’ve even posted about hacking in a previous article and about how themes and plugins are the culprit 51% of the time.

We were recently contacted by someone who’s website had been attacked. The attack by itself was harmless as it did nothing but post a message but it did look very unprofessional.

The vulnerability that was exploited in this attack is found in WordPress versions 4.7.0 and 4.7.1. These versions of WordPress enable the use of a REST API by default. Through the use of specific calls, a user would be able to circumvent a flawed if-statement and update a post with their own content (as seen above). If you’re a code monkey, you can find a more technical write-up of the vulnerability on this Sucuri blog article.

Hedge your bets

If you are working on the web, you are never 100% safe from exploits. It’s important to reduce your risk by keeping your software up to date. Update them whether it be WordPress, MySQL, PHP, or Windows — all vectors are vulnerable.