As per reports attackers have used a content-injection vulnerability (in WordPress 4.7 and 4.7.1) recently disclosed and patched in WordPress 4.7.2 to deface over 1.5M websites.
Experts say that this vulnerability, which is an unauthenticated privilege escalation vulnerability in a REST API endpoint, is one of the worst WordPress related vulnerabilities to have emerged in some time. The issue was patched silently and mention was made in an update in the 'WordPress 4.7.2 Security Release' dated January 26, 2017. The update says— "An additional serious vulnerability was fixed in this release and public disclosure was delayed. For more information on this vulnerability, additional mitigation steps taken, and an explanation for why disclosure was delayed, please read Disclosure of Additional Security Fix in WordPress 4.7.2."
The 'Disclosure of Additional Security Fix in WordPress 4.7.2' says, about this vulnerability— "In addition to the three security vulnerabilities mentioned in the original release post, WordPress 4.7 and 4.7.1 had one additional vulnerability for which disclosure was delayed.
There was an Unauthenticated Privilege Escalation Vulnerability in a REST API Endpoint. Previous versions of WordPress, even with the REST API Plugin, were never vulnerable to this...We believe transparency is in the public's best interest. It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites."
As per experts who have been analyzing this Wordpress vulnerability, thousands of attacks from different campaigns were successfully blocked after the vulnerability was detected. Even after Wordpress patched the vulnerability, hackers were reportedly trying to hack websites who hadn't applied the fix.
Some researchers even observed remote command execution attempts that tried to exploit the REST API vulnerability in the wild. Attackers were also reportedly keen on trying to exploit sites running plugins such as Insert PHP and Exec-PHP which allow users to insert PHP code directly into posts. An attacker can, by combining the two vulnerabilities, execute PHP code while injecting content into the database.
Wordpress users were being urged to update to the 4.7.2 version to protect themselves against this vulnerability.
Such vulnerabilities that keep appearing time and again prove how important it is to detect and patch them on time. Patch Management, using software like Comodo Patch Manager, is an important area as far as website security is concerned.