WordPress Content Injection Vulnerability | Office of Information Technology

WordPress Content Injection Vulnerability

Last Updated: 02/10/2017

Security Notice Level

SEVERE

According to Threatpost, 1.5 million WordPress sites have been hacked due to a silently fixed content injection vulnerability. The fix was released on January 26th, but was not immediately announced so that attackers would not be aware of the vulnerability. WordFence researchers indicate this is “one of the worst WordPress related vulnerabilities to emerge in some time.” The IT Security Office recommends you update as soon as possible.

Affected Software

WordPress versions prior to 4.7.2

Solution

Update to WordPress 4.7.2 [1]

Security Bulletin Name

WordPress 4.7.2 Maintenance and Security Release

Additional Information

Additional information about this vulnerability can be viewed at:

https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/ [1]

https://threatpost.com/wordpress-silently-fixed-privilege-escalation-vulnerability-in-4-72-update/123533/

https://www.wordfence.com/blog/2017/02/rest-api-exploit-feeding-frenzy-deface-wordpress-sites/

If you have any questions, please contact the IT Service Center at 303-735-4357 (or 5-HELP from an on-campus phone) or help@colorado.edu.  IT Service Center Hours: http://www.colorado.edu/oit/support/it-service-center