Attacks on WordPress sites using a vulnerability in the REST API, patched in WordPress version 4.7.2, have intensified over the past two days, as attackers have now defaced over 1.5 million pages, spread across 39,000 unique domains.
Initial attacks using the WordPress REST API flaw were reported on Monday by web security firm Sucuri, who said four group of attackers defaced over 67,000 pages.
The number grew to over 100,000 pages the next day, but according to a report from fellow web security firm WordFence, these numbers have skyrocketed today to over 1.5 million pages, as there are now 20 hacking groups involved in a defacement turf war.
Mass defacements started this week
The vulnerability at the core of these series of attacks is a bug discovered by Sucuri researchers, which the WordPress team fixed with the release of WordPress 4.7.2, on January 26.
According to Sucuri, attackers can craft simple HTTP requests that allow them to bypass authentification systems and edit the titles and content of WordPress pages. This vulnerability only affects sites running on WordPress version 4.7.0 and 4.7.1.
Initially, the vulnerability was deemed of a very high-risk, and the WordPress security team kept it a secret for almost a week, allowing a large number of WordPress site owners to update their CMS without being in peril from impending attacks.
Nonetheless, WordPress and Sucuri experts realized they couldn’t keep this a secret, and after a week, both teams revealed to the world that the WordPress 4.7.2 release included a secret fix for the WordPress REST API.
Sucuri’s initial fears became reality a few days later, as both Sucuri and WordFence started seeing attacks leveraging the REST API flaw against sites the two were protecting.
As time passed by, the number of attacks against the REST API flaw grew in numbers, and it became clear for both companies that attackers had discovered how to exploit the flaw on sites that were left without an update, although nobody expected this sharp rise in hacked pages in such a short time.
“This vulnerability has resulted in a kind of feeding frenzy where attackers are competing with each other to deface vulnerable WordPress websites,” said Mark Maunder, Wordfence Founder and CEO. “During the past 48 hours we have seen over 800,000 attacks exploiting this specific vulnerability across the WordPress sites we monitor.”
In reality, the number of attacks is way higher, if we take into account that not all sites are protected by WordFence and Sucuri firewalls.