Researchers are urging WordPress users to patch their software after multiple hackers began exploiting a new vulnerability to deface over a million sites so far.
The unauthenticated privilege escalation vulnerability – which was discovered in a REST API endpoint – was patched in version 4.7.2 of the hugely popular blogging software.
However, not all users have automatic updates switched on, which left a window of opportunity for the black hats last week.
Two days after the fix had been announced, WordFence began to notice a major uptick in attacks, according to the security vendor’s CEO, Mark Maunder.
“Attacks continued and February 6th we saw attackers had discovered a new variant on the attack which bypassed our rule and the rules that other firewall vendors had put into place,” he explained.
“This vulnerability has resulted in a kind of feeding frenzy where attackers are competing with each other to deface vulnerable WordPress websites. During the past 48 hours we have seen over 800,000 attacks exploiting this specific vulnerability across the WordPress sites we monitor.”
The vendor said it is tracking 20 separate defacement campaigns, with some even defacing pages which had already been altered by rival hackers.
One individual, ‘MuhmadEmad’, was responsible for more than 350,000 defacements, according to WordFence data.
“This is one of the worst WordPress related vulnerabilities to emerge in some time,” concluded Maunder. “Our site cleaners have been working with site owners all week to help them clean defaced sites. In every case the customer was not running our Premium firewall and had not updated to WordPress 4.7.2.”
WordPress is a particular favorite of hackers because it is so widely used – with a CMS market share of around 60%. A 2016 Sucuri report found that of 11,000+ infected sites studied, the vast majority of them (75%) were using WordPress.