It should be understood that this isn’t a theoretical risk — the vulnerability is being actively exploited by automated systems in the wild.
Southfield, MI (PRWEB) March 28, 2017
Future Hosting, a leading managed hosting provider, has issued a warning concerning the ongoing risk of site defacement and SEO spam for WordPress sites using WordPress 4.7 and 4.7.1 (as reported by Sucuri on March 17, 2017).
WordPress 4.7 introduced new REST API content endpoints. The implementation of some endpoints was insecure, allowing unauthenticated users to modify or replace posts. Numerous attacks have been seen to leverage this vulnerability to deface WordPress websites.
The vulnerability was patched with the release of WordPress 4.7.2, which was installed automatically on WordPress sites that allow automatic updates. Unfortunately, it appears that many WordPress sites have not updated and remain vulnerable.
“We provide web hosting for thousands of WordPress sites, and we’ve observed multiple attempts to exploit this vulnerability. We strongly encourage WordPress site owners to update as soon as possible,” said Maulesh Patel, VP of Operations of Future Hosting, “It should be understood that this isn’t a theoretical risk — the vulnerability is being actively exploited by automated systems in the wild. There’s a strong chance that unpatched sites will be vandalized.”
In addition to simple defacement of web pages, the vulnerability can be used to inject SEO spam. SEO spammers change the content of web pages so that they include links to pages under the spammers’ control. The links are intended to manipulate search rankings to improve the visibility of pages that often include illegal or insecure content.
Sites attacked by SEO spammers will no longer rank for their original content and are at risk of being penalized by search engine providers like Google.
WordPress site owners should update to WordPress 4.7.2 and, if possible, activate automatic updates to ensure that in the future, patches are applied as soon as they are released.
About Future Hosting, LLC
Founded in 2001, Future Hosting is a privately held leading Internet solutions provider specializing in managed hosting, including Dedicated Servers, Virtual Private Servers, and Hybrid Virtual Private Servers. The company has built a strong reputation for its high-quality service, innovative pricing models, and 3-hour Service Level Agreement. Future Hosting is based in Southfield, Michigan. For more information, visit http://www.futurehosting.com