WordPress Flaw Exposes All WordPress Sites – Immediate Updates Required
A WordPress update made public on Jan. 26 with silently fixed an unauthenticated privilege escalation WordPress flaw in a REST API endpoint. Basically, anyone can send a specifically crafted URL to any WordPress website and it will allow the attacker to add/change or modify posts and pages on the website. The core files are not affected and the admin can simply roll back the altered posts or pages, however, the information that is being posted to websites is cause for concern.
Sucuri, who privately disclosed the WordPress flaw, said they’ve seen four different campaigns targeting sites still not patched. The four campaigns are doing mass scans across the Internet looking for sites running vulnerable versions of WordPress and attempting to exploit the vulnerability. Most attacks are leading to website defacement.
If you are part of CourseVector’s managed hosting service, the patch has already been applied. If you have basic hosting and manage your own security, we strongly suggest you apply the patch as soon as possible. Since scanners are being used to exploit this issue, it is a matter of when a site will be defaced, not if.
If you would like to change your hosting to managed or if you are unsure if you have managed hosting, please feel free to contact us and we will be glad to help!