On January 20, web security research firm Sucuri found a zero-day vulnerability in the WordPress platform. This vulnerability, residing in the REST Application Programming Interface, allowed attackers to modify content on any page or post of a WordPress site.
Over the next few days, WordPress silently patched the flaw and, on January 26, released a patch for version 4.7.2. It wasn't until almost a week later that it publicly disclosed details of the vulnerability. According to WordPress core contributor Aaron Campbell, the disclosure delay was meant to protect WordPress users, since at that point there wasn't any "indication that the vulnerability had been exploited in the wild."
Spike in exploits following bug disclosure
The intent was to let as many sites as possible implement the patch before making the details of the vulnerability public - a tough situation commonly debated about in the InfoSec community. On one side, you want to do what you can to inform users of what, why and how they should protect themselves. But you also don't want to open up the door to give attackers the opportunity to exploit the bug - which is what happened in this case.
"Viral rate of attack rose even after vulnerability patched."
According to Ars Technica, less than 48 hours after the bug was disclosed, there was a significant spike in the number of campaigns and frequency of attacks. One campaign replaced content on more than 66,000 web pages, leaving behind "Hacked by" messages. Over two million pages were hit with these defacements, including Linux distribution OpenSUSE news blog (news.opensuse.org), US Department of Energy (jcesr.org), Utah Office of Tourism (travel.utah.gov) and The World Series of Fighting (wsof.com).
Even though the vulnerability was patched, the attack vector has already been open for hackers to find security loopholes to exploit and monetize. For example, as SiteLock pointed out, cybercriminals were able to abuse the REST API bug by injecting malicious code that redirected visitors to a rogue pharmacy site.
Millions of sites still at risk for attack
Estimates say that about 1.5 million websites are still unpatched and vulnerable to attack, with researchers suggesting that Insert PHP and Exec-PHP plugins are particularly prone to attack - especially for sites still running on 4.7 or 4.7.1 versions.
Most recently, Sucuri identified an SQL injection vulnerability in the WordPress plugin NextGEN Gallery, which it says has a critical security risk and easy exploitation level. If exploited, attackers would be able to steal sensitive user information and data from the website database. Furthermore, the source said those most at risk are sites that use NextGEN Basic TagCloud Gallery or allow visitors to submit posts on the site.