WordPress 4.7.2 was released on 26 January 2017. This release fixed an unannounced zero-day vulnerability in the WordPress REST API. Yet, thousands of WordPress sites are still vulnerable to this attack. One of the REST endpoints allows remote access to WordPress posts with permission to view, edit, delete, and create new posts. Depending on plugins installed on the hacked site, attackers could even execute PHP code. This is a serious vulnerability, but it has been fixed.

Unfortunately, according to Sucuri, two weeks after the update sites are still being defaced by exploits using this vulnerability. I did a Google search this morning for the blame line from one version of the exploit and the search returned over 150,000 results. If you own or manage WordPress websites, go right now and make sure they have all been updated to WordPress 4.7.2.

Sites Affected by Just One Version of the Exploit

Published by Site Geek

My name is Patricia Dumond. I am the founding member and “Chief Geek” at Site Geeks LLC, located in Hinesville, Georgia. I started Site Geeks with one goal in mind: to help small businesses and non-profits get their message out on the web. I live in southeast Georgia. I retired in October 2013 after 34 years of service with the United States Army as both a soldier and a civilian. I have two sons, 5 cats (plus 4 who own my sister and 3 my son dropped off with us on his way to Vermont) and 2 dogs, Mab and Molly. My husband, Paul, passed away in June 2010 and my sister, Roberta (also a widow) came to live with me here in the boondocks. She keeps me company and makes sure I’m fed and have clean clothes (its kind of like having a wife). I’ve worked with computers since they were programmed via punched cards and took up entire rooms. I’ve programmed databases in COBOL. That’s how long I’ve been around computers. I’ve been developing and administering websites since 1999. I’m fluent in all the acronyms: HTML, CSS, PHP, etc… I was on the team that built the first website for Fort Stewart, Georgia, around 2002 — a cemetery database I programmed for the web is still on the site today. I spent my last 4 years as an Army civilian working in web security.