Helios Solutions

loading icon
Slide background
Raja Speet
Birgitte Hundhammer
Kai Dietrich
Stijn van Driessen

Congratulations WordPress! For Efficiently Fixing Critical Zero-Day

4 min. read time

CMS you are using has severe content injection (privilege escalation) vulnerability. Recently, a Sucuri researcher discovered that WordPress has this privilege escalation vulnerability affecting the REST API. If your website runs on WordPress 4.7.0 or 4.7.1 in which this REST API is enabled by default then it is vulnerable to this bug. WordPress released its latest version (4.7.2) last month. They affirmed in their official blog that this is a security release wherein they have fixed three security issues affecting versions 4.7.1 and earlier. However, the popular CMS didn’t disclose at that time that the update is also meant to fix the content injection vulnerability. Why did they keep their users in the dark?

WordPress Web Design Agency

Fixing zero-day vulnerability

WordPress delayed the public disclosure about this bug in order to take additional mitigation steps while keeping hackers in dark and also fix zero-day vulnerability. Well, zero-day vulnerability is a hole in software that is unknown to the vendor. That security gap is then exploited by hackers to adversely affect computer programs and data even before the vendor becomes aware of the vulnerability and rushes to fix it. To prevent such zero-day exploits, the Sucuri researcher responsibly disclosed this vulnerability to WordPress and the latter also made the public disclosure, after silently including the fix in their newest release (4.7.2).

See Also : Steps To Change & Customize WordPress File & Directory Structure

Timeline of the events

Let us take a look at the timeline of the events that followed after WordPress became aware of the vulnerability:

January 20, 2017: Sucuri alerts WordPress about the content injection vulnerability. The WordPress security team assesses the issue and starts working on solutions. They create a first iteration of the fix. Sucuri adds rules to their Web Application Firewall (WAF) in order to block exploit attempts against their clients.

January 21 & 22, 2017: WordPress reaches out to many other companies with WAFs including Incapsula, SiteLock and Cloudflare; works with them to create a set of rules to protect as many users as possible.

January 23, 2017: The rules are put in place and constantly monitored for exploit attempts in the wild. Testing and refining continues and at the same time, they contact WordPress hosts and privately inform them about the vulnerability. The hosts work in close coordination with the WordPress security team.

January 25, 2017: Data from all the four WAFs and hosts shows no indication of exploitation of the vulnerability in the wild. WordPress decides to delay the disclosure of this bug to buy some more time for automatic updates and also to ensure that many users are patched till the time of disclosure.

January 26, 2017: WordPress releases the newest version 4.7.2 with patches for three other security issues and they maintain their secret about this privilege escalation issue so that their users have enough time to update their sites.

February 1, 2017: WordPress publicly announces about the content injection issue; mentions about Marc-Alexandre Montpas, the Sucuri researcher who discovered the issue while working on WordPress as a part of a vulnerability research project, and thanks him for responsible disclosure. Final Words! The whole episode narrates the story of integrity and accountability that WordPress has maintained throughout. Even if WordPress kept their users in dark, it was for the latter’s best interests – their safety. Being a WordPress Web Design Agency we take pride in sharing this story of how efficiently WordPress has fixed the zero-day vulnerability. Reach out to us with any WordPress or web development query. Our team of WordPress Specialists

Related Articles

Embrace WordPress and Engage Your Customers Effectively [Infographic] By Helios

  • March 31, 2017

The popularity of WordPress is gaining momentum with every passing day! WordPress breathes on PHP and owes its inception to […]

How to Choose a WordPress Development Agency for Enterprise Companies?

  • March 24, 2017
  • 5 min. read time

A highly functional website with pleasant user experience can help you build your brand and transform your business with a […]

How Virtual Reality and WordPress are Powering the Future of Web Design?

  • March 17, 2017
  • 3 min. read time

We are already in an era wherein virtual reality (VR) is no more a sci-fi dream but a tangible reality. […]

Leave Comment