Sometimes It’s Good to be Paranoid

A few weeks ago in this blog, I wrote about WordPress 4.7 and the new REST API.  I wrote:

As someone who has been in the security space since the early 1990’s, my first thoughts are about the potential security risks.  We don’t enable ports on our servers unless we have a specific reason to do so.  Likewise, I believe we should be able to keep the REST API disabled unless we have a specific need for it.  Just as the XML-RPC interface in WordPress has provided attackers with new ways to attack our websites, I expect that some enterprising hacker will figure out a way to use the REST API as an attack tool.

Well, it happened.

Security professionals discovered a severe content injection (privilege escalation) vulnerability affecting the REST API. This vulnerability allows an unauthenticated user to modify the content of any post or page within a WordPress site.  Whoo Boy! MY recommendation to install the Disable REST API  plugin appears to be well-founded.

The good news is that this vulnerability has been fixed in WordPress 4.7.2 released a few days ago.  I’m suggesting in the strongest terms that you check your version of WordPress and if it is not 4.7.2 you update immediately.