Tens of thousands WordPress sites defaced, SEO spam to follow

Attackers are actively exploiting the recently patched unauthenticated privilege escalation vulnerability in WordPress’ REST API to deface websites.

Sucuri, the company that discovered the flaw and responsibly reported it to the WordPress security team, spotted four distinct defacement campaigns in the 48 hours after the existence of the bug was publicly revealed.

Three of them have had limited impact, but one – “signed” by someone that goes by “w4l3XzY3” – has resulted in the compromise of 86,000 pages and counting.

Sucuri CTO Daniel Cid expects the defacement campaigns to slow down in the coming days, only to be followed by SEO spam (Search Engine Poisoning) attempts.

“There’s already a few exploit attempts that try to add spam images and content to a post. Due to the monetization possibilities, this will likely be the #1 route to abuse this vulnerability,” he noted.

Unfortunately, the vulnerability is trivial to exploit, and allows attackers to modify the content of any post or page within a vulnerable WordPress site.

The WordPress REST API was only recently added to WordPress, and is enabled by default in versions 4.7.0 and 4.7.1 of the popular CMS.

Many use WP’s auto-update feature to help keep their installations secure, but with each public vulnerability that gets quickly exploited by attackers we are made aware of how many other users aren’t keeping on top of things.

For those interested in how the vulnerability came about, F5’s technical evangelist Lori MacVittie offers a short but helpful explanation.