WordPress sites that haven't been updated to the most recent version, v4.7.2, released last week, are under attack as four hacking groups are conducting mass defacement campaigns.
According to web security firm Sucuri, who detected the attacks after details of the vulnerability became public last Monday, the attacks have been slowly growing, reaching almost 3,000 defacements per day.
Attackers are exploiting a vulnerability in the WordPress REST API, which the WordPress team fixed almost two weeks ago, but for which they published public details last Monday.
The vulnerability allows a remote attacker to craft an HTTP request that pings a REST API endpoint and alters titles and content on the user's website.
Exploiting the flaw is trivial, and according to Sucuri, a few public exploits have been published online since last week.
Even if the vulnerability affects only WordPress 4.7.0 and 4.7.1 and the CMS has a built-in auto-update feature for security issues, many websites haven't been updated.
Based on data collected from Sucuri's honeypot test servers, four attackers have been busy in the past week trying to exploit the flaw.
|Group name||IP||Estimated victims|
2a00:1a48:7808:104:9b57:dda6:eb3c:61e1 (IPv6 address)
Since the attacks have been going on for some days, Google has already started to index some of these defacements.
Currently, the groups using the REST API flaw to deface websites are only doing it for public brand exposure, only altering page titles and their content by adding their own name.
Sucuri's CTO, Daniel Cid, expects to see professional defacers enter the fold, such as SEO spam groups that will utilize the vulnerability to post more complex content, such as links and images.
This types of defacements are used to boost the SEO ranking of other sites or promote shady products. Websites that suffer from SEO-targeted defacements also have their SERP (Search Engine Result Page) indicator affected and risk losing their reputation on search engines, which in turns drives down traffic to their site.
Website owners are advised to update to WordPress 4.7.2. as soon as possible in order to avoid losing visibility on Google due to this REST API security issue.