Though WordPress update 4.7.1 was just released in December, there has already been a major vulnerability identified and, over the past couple days, exploited on tens of thousands of WordPress sites around the web. Fortunately, the issue has already been patched in 4.7.2, released on January 26, so all webmasters have to do to remain secure is update their CMS.
What this zero day vulnerability allows attackers to do is change any and all content on pages within WordPress. Critically, this means that attackers can create redirects on affected websites, sending visitors to domains with malicious scripts and viruses. The vulnerability was identified a couple weeks ago, and as of a few days ago there are videos explaining how to exploit the vulnerability freely available on the web. As a result, tens of thousands of sites have been compromised over the past two days, mostly by Anti-ISIS groups defacing websites with their own vulgar content.
Why is this exploit such a big deal?
Given that this is a zero day vulnerability not addressed in late patches such as 4.7.0 and 4.7.1, many well maintained and largely up-to-date websites are being affected by this exploit. Compounding the issue is the fact that WordPress.org did not mention the vulnerability fix in their 4.7.2 patch noes, so webmasters have not been aware of the critical nature of this latest update until just recently.
The reason for this was that WordPress did not want to broadcast immediately that several zero day vulnerabilities identified and fixed in this latest patch, to avoid widespread exploitation of them until users had an opportunity to update their websites to 4.7.2 for a couple days. While this was successful, the news of how critical this latest update is has still been too slow getting around the web.
WordPress’s Aaron Campbell explained their decision in a supplemental security update posted to wordpress.org about 4.7.2, saying:
We believe transparency is in the public’s best interest. It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites. So the long and short of this is simple; update all software on your WordPress sites right now! And if you have any questions about this or need a hand, give us a call.