WordPress Content Injection REST API Vulnerability (WP 4.7 and 4.7.1)
As WordPress evolves in popularity, so does the intricacy of this free and open-source content management system based on MySQL and PHP. WordPress has certainly progressed from its early days in 2003 as one of the most sought-after blogging platforms and has become the most popular online publishing platform across the globe.
Your website is precious business research, and pretty much like in real life there are anti-social elements who want to take advantage of opportunities to benefit at the expense of others.If you have a WordPress-based website, then you must be familiar with the ease and accessibility this open source CMS offers.However, with the constant additions to WordPress, the hackers can easily hack your website without your authorization.
In the past, WordPress has come across various vulnerability issues such as –
- Authenticated File Delete.
- Authenticated Post Type Bypass.
- PHP Object Injection via Metadata.
- Authenticated Cross-Site Scripting (XSS).
- Cross-Site Scripting (XSS) that could affect plugins.
- User Activation Screen Search Engine Indexing.
- File Upload to XSS on Apache Web Servers.
Of late, a critical content injection (privilege escalation) vulnerability affecting the REST API has been discovered.
The functionality of the REST API plug-in is integrated into WordPress 4.7.0 and later versions, which raises security issues.
🔴 Vulnerability: Privilege Escalation / Content Injection
🔴 Vulnerability rating
🔴 Vulnerability description
The functionality of the original REST API plug-in is integrated into WordPress 4.7.0 and later versions and is enabled by default. If you use non-plain mode, the following information appears on the WordPress website homepage:
<link rel="https://api.w.org/" href="http://www.xxx.com/wp-json/">
From this message, the WordPress REST API address
http://xxx.com/wp-json/ can be obtained.
Using the API’s GET and POST requests, attackers can inject malicious content into the server, escalate privilege, and even modify the content of articles, pages, and so on. In severe cases, sensitive data may leak.
🔴 Affected scope
- WordPress 4.7.0
- WordPress 4.7.1
🔴 How to fix
Patched Version : 4.7.2
Additional Info : REST API was added in WP 4.4 released on Dec 2015, however you need plugins to activate API. Later in WP 4.7 version, no plugins are needed, it comes enabled by default. This vulnerability is specific to REST API, hence 4.7.0 and 4.7.1 are directly affected by this vulnerability as API is enabled by default.
Let us get acquainted with this vulnerability in detail.
What is REST API?
REST API (Representational State Transfer Application Programming Interface) is a newer and lightweight mode using which the developers enjoy the convenience of connecting WordPress with other applications.
REST API was a default feature in WordPress version 4, and it was further used in various themes and plugins. With the help of REST API, the developers received a uniform method to carry out communication. In the dynamic world of the web, the REST API proves beneficial to all the users of WordPress and also for the future of WordPress.
What is REST API Vulnerability in WordPress
As per this vulnerability, an unauthorized user has the provision of initiating a change to the content of any post or page within a WordPress website.
If a web application is not aptly secured, it becomes a easy prey for the WP hackers to provide the content through a parameter value which tends to make changes to the content of the page. Since the page is allied with a dependable domain, the user is made to believe that a certain content, displaying on the website, is legitimate and not from any malicious source.
The illegitimate links are drafted especially with an intention to mock a login form and steal the vital information, such as login credentials. Furthermore, the user provides the links to the user through an email.
In case the user visits the page, entitled with malicious URL and the logins the account trusting that he is viewing a legitimate content, this is the opportunity a hacker is in search of to exploit the content of the user and the trust of the user.
How the WordPress REST API Works
To retrieve information from a website, the hackers will send a particular HTTP GET request that is easily comprehended by REST API. Let us understand with the help of an example, in the image below an HTTP GET query is being sent to a test website running on the test server.
As seen in the above image, the website does not run any information that is not already publicly available. However, it returns in a particular format that can be easily interpreted and understood by the automated means. In the image below, an HTTP request is sent to get a list of posts saved on the test website. The requested URL is http://www.local.com/wp-json/wp/v2/posts/.
When it comes to risks, they are pretty much identical to RSS feeds. Scrapers are, usually, tech-savvy and they have all the expertise in the world to steal your content regardless of the format.
You don’t have to be a scientist to know that if you make it easier for the people to steal, then they will. So, whether they are accessing your data through JSON or RSS format, content is content, and the REST API makes the task even more comfortable for anyone to make changes to the website’s content, meta, tags, categories and much more.
Now, let us shift our attention towards the user data, and it’s a whole new level of risk altogether. When it comes to user data, the information is personal;therefore, there is a potential risk. What is more worrying is the fact that the user has their name as the display name (by default),this further defaults into the registered username. Now, this means that the registered usernames of the website are publicly accessible, hence posing a security risk.
Let us discuss the risks of WordPress Web API Vulnerability exploit in detail.
Privacy Risk –
Mainly, for the privacy risk, probably it is a non-issue for most WordPress-based websites.But for all other websites that have to acknowledge certain privacy policies or company regulations, publicly sharing details of the users can be a significant issue.Or perhaps, your website needs to keep all the author details confidential mainly for political or legal reasons.
Security Risk –
For security risk, the importance and the intensity of the issue are debatable. Generally, the hackers only require two things to gain access to your website –
- User name
And with WordPress REST API, they now have easy access to half of what they need. Therefore, the REST API proposes a security vulnerability by making it easier for hackers to have easy access to your website.
Instead of guessing the correct username and the password, now all the hackers need to do is to guess the password. Which, as a matter of fact, for various user accounts is like a walk in the park.
Defacement Campaigns –
Using this vulnerability, some hacking groups have defaced various companies. In case your website gets hacked and falls prey to this exploit, then you will be showcased unapproved messages by your brand.
Defacement campaigns are considered the easiest attacks performed by hackers on vulnerable websites. By initiating some changes to the meta details of the pages, they can significantly change the SERP of your website.
SEO Spam Exploitations –
In addition to defacement campaigns, there are various other ways in which the hackers are exploiting this vulnerability. Savvy attacks also comprise of manipulating the content of the website to cater to the interests of SEO of various unauthorized users.
Also, termed as “spamdexing,” SEO spam is the practice of creating websites and generating online content that will have high rankings in the search engines, and all this will be done by using illegitimate means.
While defacing campaigns can prove harmful for your online reputation, SEO spam exploitation can be a leading way that hackers can abuse the vulnerability for monetary interests. On the other hand, hackers can also use vulnerable websites to boost their online rankings using backlinks and other SEO practices.
How to find WordPress REST API Exploit in Hacked WordPress Site
Where does the Vulnerability Exist
The script “./wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php”in WordPress 4.7.0 bears a function register_rest_routewhich is mainly formed to set an ID parameter along with digits.
To create, delete, or update WordPress posts, “/wp/v2/posts/” is the endpoint. To update any post in WordPress, a request can be sent to the endpoint API along with an ID i.e. 111, the endpoint to update the post will be “/wp-json/wp/v2/posts/111“.
To implement register_rest_route function, refer to the image –
When you add an ID to the end of the endpoint, you can easily avoid adding a malicious ID. However, as far as ID parameter in REST API is concerned, only non-numeric digits are acceptable, and it plays a pivotal role in exploiting the vulnerability further.
Crafted requests such as “/wp-json/wp/v2/posts/111?id=111wphackedhelp will allocate parameter ID value along with ‘111wphackedhelp’ which comprises of both digits and letters.
This is where the alphanumeric id ‘111wphackedhelptest’ will be directed to function update_item_permissions_check(as shown in the above image). This will be done to check whether the post with the matching id is present and has apt permissions to edit the post.
The only instance where you will be stopped from moving further is when the mentioned crafted id is already present and the permission to edit the post is nowhere to be seen.
However, in this case, the post id allocated is not there and you can move forward and execute using theupdate_item method without being stopped since all WordPress posts tend to have numeric ids.
The implementation of theupdate_item method can be seen in the image below –
Non-numeric id is usually accepted by the update_item method where PHP’s intcasting is used for the conversion of accepted id to an integer.Crafted id parameter consisting of the value 111wphackedhelptest will be then converted to 111, which is an existing valid post id.
Following image represents how PHP’s int cast functions –
php > $id = "111wphackedhelptest"; php > echo (int) $id .PHP_EOL; 111 php >
In case the id is has been successfully converted into an integer, and the post with the matching value is there then, in this case, the update will be applied successfully.
In all probability the hackers may also perform /wp-json/wp/v2/posts/111?id=222wphackedhelptest to make changes to the post having post id 222.
Also Read – How To Remove Malware From WordPress Site
Dangers Of REST API Vulnerability in WordPress
The hackers, with an aim to edit the posts, can run automated attacks with random ids (1 to n) with the help of content injection vulnerability. This will lead to the addition of the advertisement to the posts or make changes to the content of the post.
In the event where the website has plugins installed, even the PHP code can also be executed.
An automated attack of this vulnerability, at a single shot, can easily jeopardize thousands of posts. The impact of the execution of this vulnerability can cause code execution, content injection, and it is believed to be serious as most of the websites, across the globe, use WordPress to power their websites.
What Does This Mean?
If you are running WordPress 4.7.0 or 4.7.1, it is about time to upgrade right away. In case, you are a worried stick that you might have been already affected;then you can use the proficient expertise of wordpress security scanner by wh phacked help to check your website for the issues.
How to Secure the REST API
So, at this point, you should have a sound knowledge of how the WordPress REST API functions and why it poses a threat for a huge number of WordPress websites across the globe. Luckily, there are a couple of easy methods to lock it down using a WordPress plugin. Let us discuss a couple of free options available.
Also Read – WordPress XSS Attack – Exploit & Protection
How to Disable the WordPress REST API
If for some reason you want to disable the WordPress REST API you can add the following code snippet to your site-specific WordPress plugin or functions.php file.
add_filter('rest_enabled', '_return_false'); add_filter('rest_jsonp_enabled', '_return_false');
This plugin disables the REST API for the visitors who are not logged into WordPress. The best part is that no configuration is required,it only comprises of 22 lines of code, making it super lightweight, fast and effective.
Salient Features –
- The key feature of this plugin is that it disables REST links in HTML head for all the users.
- Secondly, it disables REST/JSON for all the visitors who are not logged in.
- The plugin is 100% plug-and-play;all you need is to set-it-and-forget it.
- Lastly, it disables the REST header in HTTP response for all the users.
This is one of the fastest ways to offer protection to your website’s REST/JSON API from abuse. You may be wondering; how does it work? This is where the version of WordPress matters a lot.
WordPress 4.7 and beyond –
For WordPress version 4.7 and above, this plugin tends to disable WordPress REST API unless you are logged into WordPress.
- If you are logged in, WordPress REST API will function without a glitch.
- If you are logged out, WordPress REST API will be disabled.
In case you are logged out, and you make a JSON/REST request, you will receive a message – “rest_login_required: REST API restricted to authenticated users.”
In case of WordPress versions less than 4.7, all REST API functionality, for all the users, are disabled by this plugin.
GitHub – /wp-rest-api-toolbox: WordPress plugin – https://github.com/petenelson/wp-rest-api-toolbox
REST API Toolbox –
This plugin allows adjustment of various REST API settings –
- Force SSL
- Disable the REST API
- WP-CLI commands: wp rest-api-toolbox
- Eliminate WordPress essential endpoints
- Need authentication for essential endpoints
It can be quite calamitous and maddening if your website is hacked. Rather, being worried sick about the technical aspect of the things, you can trust years of experience of wphackedhelp to get your business back on track. If you have not enabled automatic updates on your website, update as soon as possible! This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site. Learn more about WordPress vulnerabilities and tips to secure your wordpress site.
Related Posts :
- Google Ads Disapproved Due To Malicious or Unwanted Software [FIXED]
- WordPress Not Sending Email Issue ❌ [FIXED]
- WordPress Malware Removal Checklist – 2019 Security Guide
- Sorry, This File Type Is Not Permitted For Security Reasons ❌ FIXED
- How To Disable Directory Browsing in WordPress Via .htaccess & Plugins
- WordPress Website Maintenance Tasks & Checklist
- How to Backup WordPress Database 📥 Manually & With Plugins?
- How to Fix Error Establishing a Database Connection in WordPress?