1.5 Million WordPress sites hacked using recently disclosed vulnerability

● The vulnerability was exploited to carry out Web Defacement and SEO spam campaign.

● The first hack leveraging this vulnerability was observed in less than 48 hours after disclosure.

Security researchers at Sucuri had disclosed that 1.5 million sites were hacked following the exposure of a critical vulnerability in WordPress. The flaw was found in the version 4.7.2 which was released on January 26. On the day of release, the developers of the content management system (CMS) had reported about a zero-day vulnerability in the WordPress and patched three vulnerabilities including SQL injection, cross-site scripting (XSS) and access control issue.

Roughly, one week later, the developers confirmed that the WordPress site had been hacked, allowing attackers to modify the content of any page or post on a targeted site. The developers described that flaw as an unauthorized privilege escalation which resided in WordPress REST API.

The WordPress hack in question was identified by security experts one week after the release of the WordPress 4.7.2 and users were also given enough time to patch their installations. However, it was found that this WordPress vulnerability was not patched in many sites, thus giving the hackers an opportunity to carry out the WordPress hack.

The experts have tracked four different defacement campaigns using this WordPress vulnerability till now. The first hack WordPress site leveraging this vulnerability was observed in less than 48 hours after disclosure.

In one of the campaigns, hackers exploited the WordPress vulnerability to manipulate the content of over 60,000 web pages and replaced them with ‘Hacked by’ messages. The other three WordPress hack campaigns involved targeting roughly 1000 pages in total.

Besides conducting web defacement campaigns, the researchers said that the WordPress site has been hacked primarily to spread SEO spam and gain ranking in search engine, which is also known as search engine poisoning.

“There’s already a few exploit attempts that try to add spam images and content to a post. Due to the monetization possibilities, this will likely be the #1 route to abuse this vulnerability. What we expect to see is a lot more SEO spam (Search Engine Poisoning) attempts moving forward,” explained Daniel Cid, CTO, and founder of Sucuri.

Meanwhile, SecurityWeek, the Information and IT news firm, has also noticed that some of the compromised websites have also been defaced by a fifth actor. Fortunately, some of the affected sited have been disinfected by applying patches.

Although the developers had released a security update to fix the issue, hackers will continue their attempt to hack WordPress site in future.

“Defacements don’t offer economic returns, so that will likely die soon. What will remain are attempts to execute commands (RCE) as it gives the attackers full control of a site – and offers multiple ways to monetize – and SPAM SEO / affiliate link/ad injections,” said Cid.

In order to stay safe from this type of hack, site administrators are urged to update their WordPress websites to the latest version 4.7.2 immediately before they become the next target of WordPress hack.