WordPress 4.7.2 was released last Thursday, January 26th. If you have not already updated, please do so immediately.
A WordPress bug called REST API Endpoint allowed more than 100,000 websites to be hacked over the past two weeks. According to security firm Sucuri, websites have been hacked solely because the admins did not make an update to their WordPress as advised by the company. The exploit allows hackers to update content published on a WordPress website running with the 4.7.0 or 4.7.1 versions.
The security flaw, a zero-day vulnerability which affects the WordPress REST API, allows attackers to modify the content of posts or pages within a website backed by the WordPress content management system (CMS).
The reason the vulnerability wasn’t made public at the time of WordPress 4.7.2’s release was the real worry that malicious hackers might race to exploit the flaw, attacking millions of blogs and company websites. We have here, but not before a few headlines on Data Center Knowledge were altered to read “Hacked by (insert group name here)”. Sucuri also warned that version 4.7.2 may not automatically update even if that feature is turned on in WordPress.
MuhmadEmad, a Kurdish anti-ISIS hacktivist working for the Kurdlinux team, has hacked thousands of websites, leaving a message praising the Kurdish Peshmerga forces. This is not the first time the Kurdish hacker targeted websites leaving a message saying ‘Long Live the Peshmerga’. On Monday, the National Treasury Management Agency (NTMA) said that its official website was hacked by MuhmadEmad. “The perpetrator also posted a picture of the Kurdish flag, and wrote ‘long live Peshmerga’.”
To avoid your websites from being hacked with this exploit, Cyber Security professionals have requested to update to the latest WordPress version 4.7.2.
Please contact our sales team at firstname.lastname@example.org if you have any questions or concerns.