WordPress 4.7 Suffers Another zero-day Vulnerability

The vulnerability has been found by Marc Alexandre Montpas from Sucuri,  there is an Content Injection and Privilege Escalation vulnerability hits Wordpress versions 4.7 and 4.7.1 and allows all pages on unpatched sites to be modified, redirecting visitors to exploits and a myriad of attacks.

On the blogpost Marc said -

This privilege escalation vulnerability affects the WordPress REST API that was recently put into widespread use across WordPress sites with the introduction of official API endpoints in version 4.7.
One of these endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site.
The REST API is enabled by default on all sites using WordPress 4.7 or 4.7.1. If your website is on these versions of WordPress then it is currently vulnerable to this bug.

“This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site. We are hiding some technical details to make it harder for the bad guys, but depending on the plugins installed on a site, it can lead to a RCE (remote command execution). Also, even though the content is passed through wp_kses, there are ways to inject Javascript and HTML through it. Update now!” - Marc further added.

With no lose WordPress team had released the patch for the vulnerability and We also recommend our all users and other WordPress site admins to update your WordPress core version now. This is another easy but critical vulnerability that WordPress suffers.

There are about 2 million site running on WordPress CMS, hence this bug puts all of them at high risk.

Just last week only WordPress team have patched two critical Cross Site Scripting (XSS) and one SQLinjection vulnerability. 

On our last security updates we have wrote about the basic Tips for the WordPress Security, do get to it which will surely help to make your site security much tighter.