Cybercriminals start cashing in on vulnerable WordPress websites

Domains are being compromised through a vulnerability in the WordPress REST API.
Written by Charlie Osborne, Contributing Writer

The abuse of a vulnerability in the WordPress REST API has taken an expected turn -- with the monetization of compromised websites for cyberattackers.

The security flaw is a patched vulnerability in the content management system (CMS)'s REST API which permits attackers to modify the content of posts or pages, including editing or outright deletion, and can even allow them to execute malicious code.

Despite the bug being fixed earlier this year, thousands of webmasters are ignoring pleas to update, granting criminals a vast array of websites to exploit.

Two weeks after the patch update was issued by the WordPress security team, researchers found exploits being shared online to take advantage of slack security, leading to a minimum of 66,000 WordPress domains compromised to carry SEO spam (Search Engine Poisoning) and make cyberattackers money through spam-related content.

A number of websites were also the targets of remote code execution attempts.

It is estimated that up to 1.5 million websites may remain unpatched. However, the situation appears to have worsened.

According to researchers from SiteLock, the latest trend in vulnerable WordPress website defacement is the launch of rogue pharmacies. These websites, rather common already online, promise to provide "authentic" erectile dysfunction medication.


Should a visitor fall for this trick and attempt to purchase the 'medication," much of the time, the cyberattackers will store their credit card data and run -- potentially leading to unauthorized purchases or rinsed bank accounts.

In an interesting example of attacker tug-of-war, one fake pharmacy was involved in a battle against other criminals utilizing the same flaw to push other defacements onto the website's content and posts, such as political messages or fights for exposure.

SiteLock estimates that roughly 20 attackers are defacing these websites, fighting amongst themselves for financial gain.

"The ease of execution is so low and so easy, we're seeing script kiddies pick up this exploit and have a field day with it," said Logan Kipp of SiteLock. "We're seeing these 20 or so different actors fighting over control and overwriting defacements, many times minutes apart."

To protect domains against this vulnerability, websites must update to WordPress 4.7.2.

5 things you should know about VPNs

Measuring third-party security risks within minutes, not months:

Editorial standards