alphaspirit - Fotolia

WordPress REST API flaw: How did it lead to widespread attacks?

A REST API endpoint vulnerability enabled attacks on 1.5 million sites running WordPress. Expert Michael Cobb explains how this vulnerability works and how to prevent attacks.

WordPress waited to reveal that it patched a REST API endpoint vulnerability in an attempt to allow time for sites to update. However, since its announcement, 1.5 million sites have been attacked. What is the vulnerability, and how can enterprises secure their WordPress pages?

On Jan. 20, security company Sucuri alerted the WordPress core development team of an unauthenticated privilege escalation vulnerability in a Representational State Transfer (REST) API endpoint that enabled an attacker to modify content on a site running WordPress, an open source content management system platform.

On Jan. 26, WordPress released version 4.7.2, which contained a security fix for the vulnerability. However, the company did not immediately announce the fix, hoping its auto-update mechanism would update vulnerable sites before the issue was made public and hackers became aware of the WordPress REST API vulnerability. Automatic background updates were introduced in WordPress 3.7 to promote better security and to streamline the update experience.

Sucuri added rules to its web application firewall to block exploit attempts, while the WordPress team also worked with several security companies, such as SiteLock, Cloudflare and Incapsula, to create a set of rules that could protect more users.

Despite these steps, over 1.5 million sites were attacked using this specific WordPress REST API vulnerability. In some cases, defaced pages were defaced again by a different attacker. The security risk of the vulnerability is considered severe, while the exploitation level is easy/remote.

This privilege escalation vulnerability affects the WordPress REST API that was added and enabled by default in WordPress 4.7.0. One of the REST endpoints -- a reference to a Uniform Resource Identifier that accepts web requests -- allows access via the API to view, edit, delete and create posts.

Due to weaknesses in the sanitization of the ID parameter sent to /wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php, an attacker can craft a parameter to gain edit rights to change any post on the site. It's possible for a malformed alphanumeric post ID to pass the update_item_permissions_check method used by the update_item function.

As PHP performs type comparisons and conversions by type-juggling, WordPress casts the ID parameter to an integer before passing it to the get_post method, removing any alphanumeric characters and, therefore, passing a valid ID value. This means a valid request to view a post with an ID of 123 (/wp-json/wp/v2/posts/123) could be changed to /wp-json/wp/v2/posts/123?id=456 ABC, which would enable the attacker to change the post with the ID of 456.

Most WordPress REST API attacks appear to have taken the form of defaced posts and pages on victim sites, but it could be possible to infect sites with a search engine optimization spam campaign, ad injection and so on. Depending on which plug-ins are installed on a site, an attacker could gain remote command execution capabilities. Site administrators should upgrade to version 4.7.2 of WordPress, if they haven't already done so, and update their firewall rules to protect against the attack. If a site has already been attacked, it will also be necessary to restore content on the compromised pages and posts.

WordPress has a mature security community and established ways of finding vulnerabilities and deploying fixes, but it is important for WordPress administrators to keep abreast of security news. Something as powerful as REST API functionality should not have been turned on by default, particularly as it won't be needed by the majority of WordPress sites. One option is to install the Disable REST API plug-in to make sure that the REST API isn't available as a potential attack vector.

Next Steps

Find out the steps to creating a successful RESTful API

Compare the leading API management platforms

Learn if your enterprise can benefit from using a WordPress content management system

This was last published in July 2017

Dig Deeper on Application and platform security