05-Feb-2017 05:58 - edited 23-Jun-2022 09:31
Last week, a critical vulnerability has been detected in WordPress 4.7/4.7.1 by Sucuri researchers: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
The vulnerability allows unauthenticated attackers to change the contents of posts in WordPress, using a simple GET or POST request.
This allows for as much as defacement or phishing attempts on WordPress sites. No evidence of this vulnerability leading to RCE has been reported yet.
ASM is able to mitigate this vulnerability using the following user-defined signatures:
content:"/wp-json/wp/v2/posts/"; nocase; content:"id="; nocase; re2:"/id=\s*?\+?\d+[^&\s\d]+?/i"; content:"/wp-json/wp/v2/posts/"; nocase; content:"|22|id|22|"; nocase; re2:"/\x22id\x22\s*?:\s*?\x22\s*?\+?\d+[^\x22\d]+?/i"; content:"/wp-json/wp/v2/posts/"; nocase; content:"|27|id|27|"; nocase; re2:"/\x27id\x27\s*?:\s*?\x22\s*?\+?\d+[^\x22\d]+?/i";
These signatures are expected to be included in the upcoming ASM security update, releasing next week.
WordPress administrators are encouraged to upgrade to WordPress 4.7.2 as soon as possible.