Two wordpress properties I host were compromised yesterday and today, the attacker changed the title of the latest post to "hacked.." etc.
This is a vague question, but am I missing something from my ASL config that should've stopped them? We are running a slightly older version of wordpress but I read a message in the ASL panel that the latest zero day was already protected by ASL.
I ran wpscan on the site and the following core vulnerabilities showed up:
Code: Select all
[!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8730
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
Reference: https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611
[i] Fixed in: 4.7.2
[!] Title: WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table
Reference: https://wpvulndb.com/vulnerabilities/8731
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
Reference: https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5612
[i] Fixed in: 4.7.2
[!] Title: WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API
Reference: https://wpvulndb.com/vulnerabilities/8734
Reference: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
[i] Fixed in: 4.7.2
Note: I have disabled REST API on both properties with a plugin.