A serious zero-day vulnerability has been discovered in WordPress, and fixed as of its most recent stable release. All WordPress users are encouraged to make sure that they have updated their installation to version 4.7.2, as otherwise their site could be hijacked.
It’s thought that the exploit could give attackers the ability to modify the content on any post or page that’s part of a site built with WordPress, as per a report from Tripwire. Obviously, this lends itself to garden variety vandalism, but there’s also the threat of a much more troubling form of attack.
The vulnerability could be used to introduce harmful links into otherwise benign content. These links could take users to sites that install malicious software on their computers, or even be utilized as one element of a larger phishing scam, using the WordPress site as cover.
The problem was discovered by researchers at security firm Sucuri, which notified WordPress on January 20. The vulnerability was kept quiet at the time, because a fix had to be developed, and making the issue public could potentially have allowed malicious entities to take advantage.
Major WordPress hosting services and security companies were notified about the vulnerability ahead of its existence being disclosed to the public. Data from these organizations showed no indication that attackers had been able to exploit the issue.
However, now that the problem has been made public, it’s possible that criminal entities could use the vulnerability to target WordPress installations that aren’t up to date. Version 4.7.2 has been available since January 26, but users that don’t have automatic updates activated will need to initiate the process manually.
That means that if you have a WordPress site set up that you haven’t looked at in a while, it’s time to make sure it’s running version 4.7.2. It only takes a moment to check that you’re up to date — but if hackers manage to exploit this vulnerability on your site, you’re in for a much bigger headache.
