WordPress Content Injection Vulnerability - ASM Mitigation

Last week, a critical vulnerability has been detected in WordPress 4.7/4.7.1 by Sucuri researchers: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html

The vulnerability allows unauthenticated attackers to change the contents of posts in WordPress, using a simple GET or POST request.

This allows for as much as defacement or phishing attempts on WordPress sites. No evidence of this vulnerability leading to RCE has been reported yet.

ASM is able to mitigate this vulnerability using the following user-defined signatures:

content:"/wp-json/wp/v2/posts/"; nocase; content:"id="; nocase; re2:"/id=\s*?\+?\d+[^&\s\d]+?/i";
content:"/wp-json/wp/v2/posts/"; nocase; content:"|22|id|22|"; nocase; re2:"/\x22id\x22\s*?:\s*?\x22\s*?\+?\d+[^\x22\d]+?/i";
content:"/wp-json/wp/v2/posts/"; nocase; content:"|27|id|27|"; nocase; re2:"/\x27id\x27\s*?:\s*?\x22\s*?\+?\d+[^\x22\d]+?/i";

These signatures are expected to be included in the upcoming ASM security update, releasing next week.

WordPress administrators are encouraged to upgrade to WordPress 4.7.2 as soon as possible.

Updated Jun 23, 2022
Version 2.0

Was this article helpful?

No CommentsBe the first to comment