​WordPress: Why we didn't tell you about a big zero-day we fixed last week

WordPress has revealed a serious flaw that it secretly fixed in last week's security update.
Written by Liam Tung, Contributing Writer

"We intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites," said WordPress' Aaron Campbell.

Image: Ingvar Bjork

WordPress has revealed that last week's security update silently fixed a critical remote code execution bug.

WordPress says it kept the vulnerability under wraps for a week to give millions of the popular CMS' users time to patch before cluing in attackers to this specific flaw via a public advisory.

"It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites," explained Aaron Campbell, a WordPress core maintainer.

The newly disclosed bug is in the WordPress REST API Endpoint in WordPress 4.7. Any WordPress site that updated to that version in January and hasn't applied last week's patch is vulnerable to a content injection flaw that could allow an unauthenticated attacker to modify a post or page. Depending on the site's plugins, it could also be used to remotely execute code.

The bug was discovered by Sucuri security researcher Marc-Alexandre Montpas, who says it was the most serious of all issues in last week's update.

"Due to this type-juggling issue, it is then possible for an attacker to change the content of any post or page on a victim's site. From there, they can add plugin-specific shortcodes to exploit vulnerabilities, which would otherwise be restricted to contributor roles, infect the site content with an SEO spam campaign, or inject ads," he wrote.

"Depending on the plugins enabled on the site, even PHP code could be executed very easily."

Not everyone was left in the dark, though. Before releasing the patch, WordPress' security team had already informed WordPress hosts, and firewall providers, including Sucuri, SiteLock, CloudFlare, and Incapsula, that were in a position to protect users from possible exploit attempts in the wild.

"Hosts worked closely with the security team to implement protections and regularly checked for exploit attempts against their users," wrote Campbell.

"Data from all four WAFs and WordPress hosts showed no indication that the vulnerability had been exploited in the wild. As a result, we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public."

Akamai, which was also given early disclosure, has been monitoring for evidence of scanning or exploitation before yesterday's announcement to see if anyone besides Sucuri was aware of the flaw. It said it had seen no evidence of attempts to exploit it.

Read more about WordPress

Editorial standards