While you were peacefully minding about your own business, WordPress developers made an important and quick decision to successfully fix a security flaw on their website. This was implemented in their latest security update which fixed a serious remote code execution (RCE) bug. This bug allowed remote unauthorized hackers to access the contents on WordPress pages and then edit or delete them. WordPress is the world’s most popular content management system (CMS) which is used by millions of people worldwide to make their websites issued their latest update 4.7.2 to patch up the security vulnerability.
What is Remote Code Execution?
Remote code executions are bugs through which an attacker can gain access to someone else’s computing device and make changes no matter where the device is geographically located. RCE’s are often embedded in user applications. When a person runs this application on their computer, the attacker gains the ability to introduce malicious codes and gain total control over the affected computer. Websites and different operating systems often fix these loopholes through security updates to protect the user privileges.
How does it affect your WordPress website?
This Remote Code Execution bug was discovered and reported by a researcher from Sucuri Security named Marc-Alexandre Montpas. According to him, this was the most serious security vulnerability in WordPress’s latest update as this issue allowed attackers to change any post content on the victim’s site. The attackers can then add shortcodes related to specific plugins and exploit vulnerabilities like injecting the site with ads or SEO span campaigns. According to the plugins enabled on the site, an attacker can easily execute PHP codes.
The bug found its roots in the WordPress REST API Endpoint on the WordPress 4.7 and 4.7.1 versions. The security flaw enabled attackers to modify all pages on unpatched sites.
Why wasn’t it disclosed earlier?
According to WordPress core contributor Aaron Campbell, the identity of the flaw was not disclosed later to give ample time to web admins to update to the 4.7.2 patch. Campbell also added that maintaining transparency is always in the best interest of public however in this case they intentionally delayed the disclosure of the issue to protect numerous additional Word Press sites. However not everyone was left in the dark as WordPress had tipped off Security firms including Cloudflare, SiteLock and Incapsula along with WordPress hosts to help work on a fix. The job of security firms was to report any even of exploitation of the vulnerability while WordPress hosts worked closely patch the issue.
Since WAFs and Word Press hosts showed no signs of exploitation of the security vulnerability, it was less likely that the attackers discovered this flaw. As a result the decision of delayed disclosure was made to stop making this issue public, while subsequently working on a fix in the background. Millions of WordPress websites were automatically updated within hours of the release of the patch 4.7.2 before the disclosure of the security flaw was made public.