The WordPress security team revealed yesterday they've secretly fixed a zero-day vulnerability in the WordPress CMS, which wasn't initially included in the official announcement.
The revised WordPress 4.7.2 security log now also mentions "an unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint," discovered by Sucuri researcher Marc-Alexandre Montpas.
"Our team found a very serious vulnerability on WordPress (unauthenticated content injection -> easily turned into RCE) that is going to be silently patched tomorrow - with the details to come in a few days," Sucuri informed clients in a threat alert advisory Bleeping Computer obtained last week, and which we held off from publication.
"We are working very closely with the WordPress security team and we got all major [web] hosts and WAF providers (CloudFlare, Incapsula, etc), to have virtual patching rules applied on their end before this is disclosed," the note continued.
"Due to the [bug's] severity and popularity of WordPress (20+% of the web), [...] the fix for this security issue will be hidden within other issues to give time for everyone to patch."
The threat alert came true yesterday after Aaron D. Campbell of the WordPress team confirmed that the security team had indeed patched a secret flaw without telling its users.
Campbell also confirmed WordPress' and Sucuri's efforts to notify major WordPress hosting providers and web security firms of the zero-day.
Thankfully, no attempts to exploit the vulnerability have been detected, neither by Sucuri's web firewall, or one from other providers.
Montpas also published a blog post yesterday detailing the zero-day. According to the researcher, the problem is in the WordPress REST API, which allows attackers to craft malicious requests and edit the content of a WordPress site, such as pages and blog posts.
"Depending on the plugins enabled on the site, even PHP code could be executed very easily," Montpas added.
WordPress developers have worked on the REST API for three years now, and only recently have they included this feature in the WordPress main core, with version 4.7.0, albeit after many delays and with concerns that it might have still needed work.
The REST API's purpose is to allow plugin and theme developers to interact with core WordPress features via simple, authenticated REST calls.