The following was released 2 hours ago – by WordPress. This is the kind of thing we are concerned about when we see so many sites unpatched. The When, not If. Take a moment and check over the version you are running.
When logging in as the administrator – take a moment to check and see if you are running the current version.
You can see this under AT A GLANCE – where it will say (hopefully) something like “WordPress 4.7.2 running” in which case you are in a better place.
If you are wondering what updates you have waiting – Click on DASHBOARD > HOME > UPDATES > CHECK AGAIN. Apply the available Core, plugins, themes in that order.
If you have any questions – need a hand – do not hesitate to get in contact with support.
The original article can also be found here.
Disclosure of Additional Security Fix in WordPress 4.7.2
WordPress 4.7.2 was released last Thursday, January 26th. If you have not already updated, please do so immediately.
In addition to the three security vulnerabilities mentioned in the original release post, WordPress 4.7 and 4.7.1 had one additional vulnerability for which disclosure was delayed. There was an Unauthenticated Privilege Escalation Vulnerability in a REST API Endpoint. Previous versions of WordPress, even with the REST API Plugin, were never vulnerable to this.
We believe transparency is in the public’s best interest. It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites.
On January 20th, Sucuri alerted us to a vulnerability discovered by one of their security researchers, Marc-Alexandre Montpas. The security team began assessing the issue and working on solutions. While a first iteration of a fix was created early on, the team felt that more testing was needed.
Meanwhile, Sucuri added rules to their Web Application Firewall (WAF) to block exploit attempts against their clients. This issue was found internally and no outside attempts were discovered by Sucuri.
Over the weekend, we reached out to several other companies with WAFs including SiteLock, Cloudflare, and Incapsula and worked with them to create a set of rules that could protect more users. By Monday, they had put rules in place and were regularly checking for exploit attempts in the wild.
On Monday, while we continued to test and refine the fix, our focus shifted to WordPress hosts. We contacted them privately with information on the vulnerability and ways to protect users. Hosts worked closely with the security team to implement protections and regularly checked for exploit attempts against their users.
By Wednesday afternoon, most of the hosts we worked with had protections in place. Data from all four WAFs and WordPress hosts showed no indication that the vulnerability had been exploited in the wild. As a result, we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public.
On Thursday, January 26, we released WordPress 4.7.2 to the world. The release went out over our autoupdate system and, over a couple of hours, millions of WordPress 4.7.x users were protected without knowing about the issue or taking any action at all.
We’d like to thank Sucuri for their responsible disclosure, as well as working with us to delay disclosure until we were confident that as many WordPress sites were updated to 4.7.2 as possible. We’d also like to thank the WAFs and hosts who worked closely with us to add additional protections and monitored their systems for attempts to use this exploit in the wild. As of today, to our knowledge, there have been no attempts to exploit this vulnerability in the wild.
Updated Monday 13th February 2017
“Virally growing attacks on unpatched WordPress sites affects ~2m pages“ – the problem is growing – as unpatched sites become more of a liability. Mostly these will be used for spamming, compromising other sites, data harvesting of users details emails and passwords – and the occasional defacement… however it is as the tag line suggests there “It’s all fun and games until someone executes malicious code. That may be next.” – it is not going to be too long before we see these hosts being used in larger scale attacks or more clear cut illegal activity.