Security Vulnerability in WordPress 4.7 and 4.7.1

Sucuri discovered a severe content injection (privilege escalation) vulnerability affecting the WordPress REST API. This vulnerability allows an unauthenticated user to modify the content of any post or page within a WordPress site.

They disclosed the vulnerability to the WordPress Security Team who handled it extremely well. They worked closely with Sucuri to coordinate the disclosure timeline and get as many hosts and security providers aware and patched before this became public.

A fix for this was silently included on version 4.7.2 along with other less severe issues. This was done intentionally to give everyone time to patch. We are now disclosing the details because we feel there has been enough time for most WordPress users to update their sites.

This privilege escalation vulnerability affects the WordPress REST API that was recently added and enabled by default on WordPress 4.7.0.

One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site.

The REST API is enabled by default on all sites using WordPress 4.7.0 or 4.7.1. If your website is on these versions of WordPress then it is currently vulnerable to this bug.