Many critical WordPress vulnerabilities were patched the last couples of weeks like SQL injection, cross-site scripting (XSS) and access control issues.These bugs were silently patched by the company before it gets into hands of Hackers. The company also delayed the vulnerability disclosure for over a week.
Many bugs have been patched by the developer of content management system WordPress and it has been informed to the users.The latest version patched three vulnerabilities, including SQL injection, cross-site scripting (XSS) and access control issues.
A week later when a developer, admitted that the version 4.7.2 patched another flaw.Patches were done for unauthenticated privilege escalation and content injection vulnerability affecting the REST API.The bug allows hackers to modify the content of any page or posts.
According to Sucuri, many WordPress website still hasn’t updated after the one week release of WordPress 4.7.2, many of users haven’t updated the installations, which are still vulnerable to the critical bug and has already been exploited by hackers.
Sucuri, the security researcher who privately disclosed the flaw to WordPress, said they started noticing the attacks using this bug less than 48 hours after disclosure. They saw no less than four distinct techniques targeting still unpatched sites
In one of this scenario, attackers already modified the content of more than 65,000 web pages with “Hacked by” messages, and in which two of them seems to used single IP address and defaced merely 1000 pages.Besides defacing websites, attacks were allegedly using black hat SEO technique in order to do spam and gain ranking in search engine, which is also known as search engine poisoning.