WordPress Version 4.7.2 was released primitively to correct three security flaws, which included a SQL injection and XSS (cross-site scripting) flaw. Administrators who have yet to update their WordPress find themselves at high risk of piracy.
This high-risk is because of the vulnerability to the REST API in WordPress 4.7, creating a critical bug which allows for exploitation. The vulnerability allows an attacker to inject code into an article without having the correct rights. Simply put, it is an open door to everything. The vulnerability was promptly fixed in the latest update.
Sucuri was the first to launch the alert after detecting nearly 150,000 pirated web sites during their latest monitoring. A large-scale automated SQL injection (SQLi) campaign was detected and at least four cyber criminals are now managing to exploit the vulnerability. Just type “by w4l3XzY3” in Google search, which shows many sites which have been indexed that have been exploited.
Hackers also seem to be taking accountability with simple vandalism, leaving their signature to let the world know who carried out the attack (thriving on the publicity). The following three campaigns have been detected by security experts, using the following signatures:
In addition, IP addresses used by hacker group w4l3XzY3:
- 2A00: 1a48: 7808: 104: 9b57: dda6: eb3c: 61e1
As for the other three attacks launched by Cyb3r-Shia, + By+NeT.Defacer and By+Hawleri_hackequi the IP addresses identifies as follow:
“WordPress has an automatic update feature enabled by default, along with a one-click manual update procedure. Despite this, many people are not aware of this problem that affects the REST API or are not able to update their site. This leads to a large number of compromised and altered sites.”
Faced with these threats, we would strongly advise all administrators to upgrade to the latest WordPress 4.7.2. We would also recommend you to block the IP addresses mentioned above.