{"id":23737,"date":"2017-02-10T08:20:05","date_gmt":"2017-02-10T14:20:05","guid":{"rendered":"https:\/\/wpengine.com\/?p=23737"},"modified":"2021-11-21T14:34:00","modified_gmt":"2021-11-21T20:34:00","slug":"rest-api-vulnerability","status":"publish","type":"post","link":"https:\/\/wpengine.com\/resources\/rest-api-vulnerability\/","title":{"rendered":"1.5 Million Pages Defaced Through REST API Vulnerability"},"content":{"rendered":"<p>In late January 2017, <a href=\"https:\/\/wpengine.com\/blog\/delivering-enterprise-grade-security-for-all\/\" target=\"_blank\" rel=\"noopener\">WordPress 4.7.2<\/a> was released, containing security patches that addressed&nbsp;<a href=\"https:\/\/wordpress.org\/news\/2017\/01\/wordpress-4-7-2-security-release\/\" target=\"_blank\" rel=\"noopener\">four different vulnerabilities<\/a>. Three of the vulnerabilities were disclosed at the time of the release, while WordPress&nbsp;privately contacted <a href=\"https:\/\/wpengine.com\/\">WordPress hosts<\/a> with information about ways to protect users.<\/p>\n<p>It was later revealed that the most critical issue of the bunch is a vulnerability in a REST API endpoint. This flaw has allowed hackers to break in to modify the content of any site running WordPress versions 4.7.0 and 4.7.1. So far, 20 hacking groups have defaced over 1.5 million web pages and thousands of websites running&nbsp;on these two outdated versions.<\/p>\n<p>The vulnerability was discovered by <a href=\"https:\/\/blog.sucuri.net\/2017\/02\/wordpress-rest-api-vulnerability-abused-in-defacement-campaigns.html\" target=\"_blank\" rel=\"noopener\">Sucuri researchers<\/a>, who worked with WordPress and other WAF vendors to build a fix in the 4.7.2 update. (See here for WordPress\u2019 full <a href=\"https:\/\/make.wordpress.org\/core\/2017\/02\/01\/disclosure-of-additional-security-fix-in-wordpress-4-7-2\/\" target=\"_blank\" rel=\"noopener\">disclosure<\/a>.)<\/p>\n<figure id=\"attachment_23740\" aria-describedby=\"caption-attachment-23740\" style=\"width: 533px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-23740 size-full\" src=\"https:\/\/wpengine.com\/wp-content\/uploads\/2017\/02\/REST_API_Defaced_Pages_Totals-updated.jpg\" alt=\"1.5 Million Sites Defaced Through REST API Vulnerability\" width=\"533\" height=\"516\" srcset=\"https:\/\/wpengine.com\/resources\/wp-content\/uploads\/2017\/02\/REST_API_Defaced_Pages_Totals-updated.jpg 533w, https:\/\/wpengine.com\/resources\/wp-content\/uploads\/2017\/02\/REST_API_Defaced_Pages_Totals-updated-300x290.jpg 300w, https:\/\/wpengine.com\/resources\/wp-content\/uploads\/2017\/02\/REST_API_Defaced_Pages_Totals-updated-149x144.jpg 149w, https:\/\/wpengine.com\/resources\/wp-content\/uploads\/2017\/02\/REST_API_Defaced_Pages_Totals-updated-516x500.jpg 516w\" sizes=\"auto, (max-width: 533px) 100vw, 533px\" \/><figcaption id=\"caption-attachment-23740\" class=\"wp-caption-text\">Source: <a href=\"https:\/\/threatpost.com\/1-5m-unpatched-wordpress-sites-hacked-following-vulnerability-disclosure\/123691\/\" target=\"_blank\" rel=\"noopener\">Threat Post<\/a><\/figcaption><\/figure>\n<p>The REST API content endpoints were first introduced to WordPress 4.7.0 in December 2016. This means sites running on versions&nbsp;4.7.0 and 4.7.1 must be updated to the latest WordPress version to avoid the risk of malicious content injection.<\/p>\n<p>WP Engine customers need not worry as we\u2019ve been issuing patches across the platform to upgrade installs to the next stable version.&nbsp;As soon as a new version of WordPress rolls out, we automatically upgrade your site for you so it contains the latest security patches.&nbsp;<a href=\"https:\/\/wpengine.com\/support\/wordpress-updates\/\" target=\"_blank\" rel=\"noopener\">Automated security updates<\/a>&nbsp;are part of our promise to deliver the most secure WordPress experience possible.<\/p>\n<p><em>See here for more information on&nbsp;<a href=\"https:\/\/wpengine.com\/secure-wordpress-hosting\/\" target=\"_blank\" rel=\"noopener\">secure WordPress hosting<\/a> with WP Engine.&nbsp;<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In late January 2017, WordPress 4.7.2 was released, containing security patches that addressed&nbsp;four different vulnerabilities. Three of the vulnerabilities were disclosed at the time of the release, while WordPress&nbsp;privately contacted WordPress hosts with information about ways to protect users. It was later revealed that the most critical issue of the bunch is a vulnerability in<span class=\"tile__ellipses\">&hellip;<\/span><span class=\"tile__ellipses--animated\"><\/span><\/p>\n","protected":false},"author":114,"featured_media":23747,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[85],"tags":[503,13],"class_list":["post-23737","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-2","tag-rest-api","tag-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>1.5 Million Pages Defaced Through REST API Vulnerability | WP Engine<\/title>\n<meta name=\"description\" content=\"In late January, WordPress 4.7.2 was released, containing security patches for four vulnerabilities. It was later revealed that the most critical issue...\" \/>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"1.5 Million Pages Defaced Through REST API Vulnerability | WP Engine\" \/>\n<meta property=\"og:description\" content=\"In late January, WordPress 4.7.2 was released, containing security patches for four vulnerabilities. It was later revealed that the most critical issue...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/wpengine.com\/resources\/rest-api-vulnerability\/\" \/>\n<meta property=\"og:site_name\" content=\"WP Engine\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/wpengine\" \/>\n<meta property=\"article:published_time\" content=\"2017-02-10T14:20:05+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-11-21T20:34:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/wpengine.com\/resources\/wp-content\/uploads\/2017\/02\/rest-api-security-wordpress-hero.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"824\" \/>\n\t<meta property=\"og:image:height\" content=\"342\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Darcy Wheeler\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@wpengine\" \/>\n<meta name=\"twitter:site\" content=\"@wpengine\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Darcy Wheeler\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/wpengine.com\/resources\/rest-api-vulnerability\/\",\"url\":\"https:\/\/wpengine.com\/resources\/rest-api-vulnerability\/\",\"name\":\"1.5 Million Pages Defaced Through REST API Vulnerability | WP Engine\",\"isPartOf\":{\"@id\":\"https:\/\/wpengine.com\/resources\/#website\"},\"datePublished\":\"2017-02-10T14:20:05+00:00\",\"dateModified\":\"2021-11-21T20:34:00+00:00\",\"author\":{\"@id\":\"https:\/\/wpengine.com\/resources\/#\/schema\/person\/34868282515de283b983c228d0824b39\"},\"description\":\"In late January, WordPress 4.7.2 was released, containing security patches for four vulnerabilities. It was later revealed that the most critical issue...\",\"breadcrumb\":{\"@id\":\"https:\/\/wpengine.com\/resources\/rest-api-vulnerability\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/wpengine.com\/resources\/rest-api-vulnerability\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/wpengine.com\/resources\/rest-api-vulnerability\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/wpengine.com\/resources\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"1.5 Million Pages Defaced Through REST API Vulnerability\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/wpengine.com\/resources\/#website\",\"url\":\"https:\/\/wpengine.com\/resources\/\",\"name\":\"WP Engine\",\"description\":\"Managed Hosting for WordPress\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/wpengine.com\/resources\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/wpengine.com\/resources\/#\/schema\/person\/34868282515de283b983c228d0824b39\",\"name\":\"Darcy Wheeler\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/wpengine.com\/resources\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/2a901348de6e810af952ffb72a21dbfc3e77868c2acb539d7d92524a9f1bb7be?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/2a901348de6e810af952ffb72a21dbfc3e77868c2acb539d7d92524a9f1bb7be?s=96&d=mm&r=g\",\"caption\":\"Darcy Wheeler\"},\"description\":\"A photography and art enthusiast, in her spare time she enjoys traveling, practicing yoga, designing items for her craft store, and trying new cooking recipes. Follow her on Twitter @darewhee.\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"1.5 Million Pages Defaced Through REST API Vulnerability | WP Engine","description":"In late January, WordPress 4.7.2 was released, containing security patches for four vulnerabilities. It was later revealed that the most critical issue...","robots":{"index":"noindex","follow":"follow"},"og_locale":"en_US","og_type":"article","og_title":"1.5 Million Pages Defaced Through REST API Vulnerability | WP Engine","og_description":"In late January, WordPress 4.7.2 was released, containing security patches for four vulnerabilities. It was later revealed that the most critical issue...","og_url":"https:\/\/wpengine.com\/resources\/rest-api-vulnerability\/","og_site_name":"WP Engine","article_publisher":"https:\/\/www.facebook.com\/wpengine","article_published_time":"2017-02-10T14:20:05+00:00","article_modified_time":"2021-11-21T20:34:00+00:00","og_image":[{"width":824,"height":342,"url":"https:\/\/wpengine.com\/resources\/wp-content\/uploads\/2017\/02\/rest-api-security-wordpress-hero.jpg","type":"image\/jpeg"}],"author":"Darcy Wheeler","twitter_card":"summary_large_image","twitter_creator":"@wpengine","twitter_site":"@wpengine","twitter_misc":{"Written by":"Darcy Wheeler","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/wpengine.com\/resources\/rest-api-vulnerability\/","url":"https:\/\/wpengine.com\/resources\/rest-api-vulnerability\/","name":"1.5 Million Pages Defaced Through REST API Vulnerability | WP Engine","isPartOf":{"@id":"https:\/\/wpengine.com\/resources\/#website"},"datePublished":"2017-02-10T14:20:05+00:00","dateModified":"2021-11-21T20:34:00+00:00","author":{"@id":"https:\/\/wpengine.com\/resources\/#\/schema\/person\/34868282515de283b983c228d0824b39"},"description":"In late January, WordPress 4.7.2 was released, containing security patches for four vulnerabilities. It was later revealed that the most critical issue...","breadcrumb":{"@id":"https:\/\/wpengine.com\/resources\/rest-api-vulnerability\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/wpengine.com\/resources\/rest-api-vulnerability\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/wpengine.com\/resources\/rest-api-vulnerability\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/wpengine.com\/resources\/"},{"@type":"ListItem","position":2,"name":"1.5 Million Pages Defaced Through REST API Vulnerability"}]},{"@type":"WebSite","@id":"https:\/\/wpengine.com\/resources\/#website","url":"https:\/\/wpengine.com\/resources\/","name":"WP Engine","description":"Managed Hosting for WordPress","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/wpengine.com\/resources\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/wpengine.com\/resources\/#\/schema\/person\/34868282515de283b983c228d0824b39","name":"Darcy Wheeler","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/wpengine.com\/resources\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/2a901348de6e810af952ffb72a21dbfc3e77868c2acb539d7d92524a9f1bb7be?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2a901348de6e810af952ffb72a21dbfc3e77868c2acb539d7d92524a9f1bb7be?s=96&d=mm&r=g","caption":"Darcy Wheeler"},"description":"A photography and art enthusiast, in her spare time she enjoys traveling, practicing yoga, designing items for her craft store, and trying new cooking recipes. Follow her on Twitter @darewhee."}]}},"acf":[],"_links":{"self":[{"href":"https:\/\/wpengine.com\/resources\/wp-json\/wp\/v2\/posts\/23737","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpengine.com\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpengine.com\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpengine.com\/resources\/wp-json\/wp\/v2\/users\/114"}],"replies":[{"embeddable":true,"href":"https:\/\/wpengine.com\/resources\/wp-json\/wp\/v2\/comments?post=23737"}],"version-history":[{"count":0,"href":"https:\/\/wpengine.com\/resources\/wp-json\/wp\/v2\/posts\/23737\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/wpengine.com\/resources\/wp-json\/wp\/v2\/media\/23747"}],"wp:attachment":[{"href":"https:\/\/wpengine.com\/resources\/wp-json\/wp\/v2\/media?parent=23737"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpengine.com\/resources\/wp-json\/wp\/v2\/categories?post=23737"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpengine.com\/resources\/wp-json\/wp\/v2\/tags?post=23737"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}