More than 100,000 WordPress webpages were defaced

eScan notifies that more than 100 000 webpages were defaced by exploiting vulnerability, which was already patched by Wordpress, but for criminals it took only 48 hours to use it against webpages.

Two weeks ago WordPress 4.7.2 was released, and website administrators running self-hosted versions of the hugely popular CMS and blogging platform were advised to update their systems as a matter of urgency. WordPress didin’t reveal that 4.72 had secretly included a fix for an undisclosed critical vulnerability.

If left unpatched, the vulnerability could allow a malicious attacker to modify the content of any post or page on a WordPress site. So it was kept as a secret worrying that malicious hackers might race to exploit the flaw, attacking millions of blogs and company websites. Especially because of fact that many WordPress sites are configured to automatically update themselves, or offer simple one-click updates.

Evidence has emerged that malicious hackers did not take long to strike after news of the vulnerability was made public, multiple public exploits were being shared and posted online within 48 hours. For example, one hacker group sprayed the words “by w4l3XzY3” across more than 66 thousands webpages. According to Google search results, something in the region of 100,000 webpages may have suffered from this particular defacement.

“While it seems a security flaw does not pose a significant threat to the webpages, hackers can take the opportunity to distribute fraud campaigns and seek for a financial benefit”, says Deividas Pelenis, Head of Sales at Baltimax, the distributor of eScan antivirus solutions.

Security experts advice to keep websites updated - it’s highly recommended to enable automatically roll out WordPress updates.