Vulnerabilities in out-of-date WordPress websites

It’s no secret that building a platform like WordPress is a complex ordeal. It’s a constant race between developers finding vulnerabilities to fix them versus hackers trying to exploit them. We’ve even posted about hacking in a previous article.  When it comes to WordPress websites, 51% of the time, an outdated theme or plugin is the culprit.

We were recently contacted by someone whose website had been attacked. The attack by itself was harmless as it did nothing but post a message, however it did look very unprofessional.

The vulnerability that was exploited in this attack is found in WordPress versions 4.7.0 and 4.7.1. These versions of WordPress enable the use of a REST API by default. Through the use of specific calls, a user would be able to circumvent a flawed if-statement and update a post with their own content (as seen above). If you’re a code monkey, you can find a more technical write-up of the vulnerability in this Sucuri blog article.

Hedge your bets

If you are working on the web, you are never 100% safe from exploits. It’s important to reduce your risk by keeping your software up to date. Update them whether it be WordPress, MySQL, PHP, or Windows — all vectors are vulnerable.

Has your website been exploited?

We often have to deal with sites that have been attacked through the use of these vulnerabilities. If you need help to clean up your site, send us a message.