WordPress users have been advised to update due to a bug found in one of the add-ons for the blogging website.
The bugged add-on, discovered on the 20th January, has caused a flurry of attacks on WordPress blogs affecting up to 1.5 million pages.
The attack, which started just defacing blog pages, has evolved - with hackers now using the vulnerability to try to hijack a whole WordPress site for their own uses, whether these be spam or malware based campaigns.
There was a vulnerability in a REST API Endpoint that allowed a hacker unauthenticated privilege escalation giving them the ability to modify user pages. This was achieved by using simple HTTP requests to bypass authentication. The affected versions were WordPress 4.7 and 4.7.1.
WordPress kept quiet
WordPress, who generally inform their users of security risks, kept this hidden for almost a week which allowed page owners to update before the vulnerability information was released legitimately to the public domain.
Work started on a fix almost immediately with support from the security firm, Sucuri, who found the flaw. Whilst a solution was being worked on, Sucuri modified their Web Application Firewall (WAF) to block their clients becoming vulnerable to the attack. As the investigation progressed, other companies were contacted and assisted in creating rules to protect their clients.
Ensure you have latest version
During testing, it was found that the vulnerability had not been exploited yet. From this, WordPress decided to hold back releasing any data further so they could ensure the fix worked. The delay also allowed a chance to ensure as many sites were protected as possible. Patch 4.7.2 was released as an auto-update; this meant many users were protected before even knowing there was an issue.
To ensure your WordPress site is protected you need to ensure you are running WordPress 4.7.2.
For more information, please visit: http://www.bbc.co.uk/news/technology-38930428