WordPress delayed disclosing a severe vulnerability by nearly one week "to ensure the safety of millions of... WordPress sites," explained Aaron Campbell, a WordPress core contributor.
WordPress delayed disclosing a severe vulnerability by nearly one week "to ensure the safety of millions of... WordPress sites," explained Aaron Campbell, a WordPress core contributor.

WordPress last week silently patched a high-severity zero-day vulnerability that can allow unauthorized users to remotely modify a web page's content and change any post, the content management system provider revealed on Wednesday.

WordPress waited nearly a week to publicly disclose the issue so that it could first privately inform various content delivery platforms and website hosts of the issue and give them time to install the CMS' latest update, version 4.7.2. Only versions 4.7 and 4.7.1 were impacted; earlier iterations were not affected.

"It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites," explained Aaron Campbell, a WordPress core contributor, in a blog post published on WordPress.org.

Sucuri researcher Marc-Alexandre Montpas discovered the bug while auditing various open-source projects as part of a vulnerability research project initiated by the website security company.

Specifically, the flaw is an unauthenticated privilege escalation vulnerability in WordPress' REST API, whose function is to establish highly compatible connections between WordPress and other software applications. Akamai Technologies, one of the content delivery platform providers that WordPress alerted in advance, further explained in its own blog post that the vulnerability can be exploited by abusing type juggling, a PHP programming feature "where the developer allows the type of data being entered to be determined by its context."

Essentially, by adding non-numerical values to an ID parameter in either the query_string or POST payload, attackers can bypass an authorization check, allowing them to modify content at their will. "From there, they can add plugin-specific shortcodes to exploit vulnerabilities (that would otherwise be restricted to contributor roles), infect the site content with an SEO spam campaign, or inject ads,"  Sucuri warns in a blog post authored by Montpas.

"Remote command execution... may also be possible, depending upon which WordPress plugins are installed and enabled," advised Akamai.

Withholding the disclosure of a serious bug from the public can be a potentially controversial move because users may not necessarily comprehend the urgency of immediately updating their software, leaving them susceptible to an attack if a bad actor discovers the vulnerability and exploits it before they act. However, Daniel Cid, founder and CTO of Sucuri, told SC Media that he thought WordPress handled this situation "very well."

"In cases like this where the exploitation is very easy, it gave time for all the users to patch, hosts to be aware and security providers to create rules to block and detect it. That gave the defenders a one-week advantage over the attackers that will come," said Cid in an email interview.

There is no evidence that attackers have exploited the vulnerability, WordPress noted.