- Feb 7, 2017
CMS you are using has severe content injection (privilege escalation) vulnerability. Recently, a Sucuri researcher discovered that WordPress has this privilege escalation vulnerability affecting the REST API. If your website runs on WordPress 4.7.0 or 4.7.1 in which this REST API is enabled by default then it is vulnerable to this bug. WordPress released its latest version (4.7.2) last month. They affirmed in their official blog that this is a security release wherein they have fixed three security issues affecting versions 4.7.1 and earlier. However, the popular CMS didn’t disclose at that time that the update is also meant to fix the content injection vulnerability. Why did they keep their users in the dark?
Fixing zero-day vulnerability
WordPress delayed the public disclosure about this bug in order to take additional mitigation steps while keeping hackers in dark and also fix zero-day vulnerability. Well, zero-day vulnerability is a hole in software that is unknown to the vendor. That security gap is then exploited by hackers to adversely affect computer programs and data even before the vendor becomes aware of the vulnerability and rushes to fix it. To prevent such zero-day exploits, the Sucuri researcher responsibly disclosed this vulnerability to WordPress and the latter also made the public disclosure, after silently including the fix in their newest release (4.7.2).
Timeline of the events
Let us take a look at the timeline of the events that followed after WordPress became aware of the vulnerability:
January 20, 2017: Sucuri alerts WordPress about the content injection vulnerability. The WordPress security team assesses the issue and starts working on solutions. They create a first iteration of the fix. Sucuri adds rules to their Web Application Firewall (WAF) in order to block exploit attempts against their clients.
January 21 & 22, 2017: WordPress reaches out to many other companies with WAFs including Incapsula, SiteLock and Cloudflare; works with them to create a set of rules to protect as many users as possible.
January 23, 2017: The rules are put in place and constantly monitored for exploit attempts in the wild. Testing and refining continues and at the same time, they contact WordPress hosts and privately inform them about the vulnerability. The hosts work in close coordination with the WordPress security team.
January 25, 2017: Data from all the four WAFs and hosts shows no indication of exploitation of the vulnerability in the wild. WordPress decides to delay the disclosure of this bug to buy some more time for automatic updates and also to ensure that many users are patched till the time of disclosure.
January 26, 2017: WordPress releases the newest version 4.7.2 with patches for three other security issues and they maintain their secret about this privilege escalation issue so that their users have enough time to update their sites.
February 1, 2017: WordPress publicly announces about the content injection issue; mentions about Marc-Alexandre Montpas, the Sucuri researcher who discovered the issue while working on WordPress as a part of a vulnerability research project, and thanks him for responsible disclosure. Final Words! The whole episode narrates the story of integrity and accountability that WordPress has maintained throughout. Even if WordPress kept their users in dark, it was for the latter’s best interests – their safety. Being a WordPress Web Design Agency we take pride in sharing this story of how efficiently WordPress has fixed the zero-day vulnerability. Reach out to us with any WordPress or web development query. Our team of WordPress Specialists