WordPress' core development team revealed that a recent update to the content management system quietly patched a critical vulnerability.
The vulnerability was discovered (opens in new tab) by Sucuri, a website security company, which said it "allows an unauthenticated user to modify the content of any post or page within a WordPress site." That's bad news for many sites: WordPress is used by news organizations like Time, Fortune, and USA Today; tech companies like IBM, Microsoft, and Facebook; and many other websites besides. The company said that its technologies power 27% of the internet.
Using those sites to disseminate false information--or even just undermining their credibility by defacing them--would have been a bit of a problem. Sucuri disclosed the vulnerability to the WordPress Security Team, who are said to have "handled it extremely well" and worked with Sucuri to "coordinate the disclosure timeline and get as many hosts and security providers aware and patched before this became public," according to Sucuri.
WordPress then worked with other companies to make sure the vulnerability wouldn't be exploited after its revelation. That can be a problem with many services, because people don't always update their software right away, which means that when a security flaw is disclosed with a patch used to fix it, attackers have been told how to break into non-updated systems. WordPress contacted security companies, hosts, and others to stop that from happening here.
WordPress 4.7.2 debuted on January 26. The vulnerability was disclosed February 1--enough time for many WordPress users to update their systems, or for companies like CloudFlare to protect their customers--with an explanation for why it was kept quiet. Here's what WordPress said in a blog post:
By Wednesday afternoon, most of the hosts we worked with had protections in place. Data from all four WAFs and WordPress hosts showed no indication that the vulnerability had been exploited in the wild. As a result, we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public.On Thursday, January 26, we released WordPress 4.7.2 to the world. The release went out over our autoupdate system and, over a couple of hours, millions of WordPress 4.7.x users were protected without knowing about the issue or taking any action at all.
WordPress users have been advised to update to version 4.7.2 as soon as possible. Despite the careful handling of this issue, and the response from companies like Sucuri and WordPress hosts, there are bound to be many WordPress-powered websites that are still affected by this vulnerability.