On Thursday, WordPress.org released WordPress 4.7.2, fixing the following four vulnerabilities.

  1. The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of Alley Interactive.
  2. WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Mo Jangda (batmoo).
  3. A cross-site scripting (XSS) vulnerability was discovered in the posts list table. Reported by Ian Dunn of the WordPress Security Team.
  4. An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint. Reported by Marc-Alexandre Montpas of Sucuri Security.

The REST API vulnerability, which affects two previous WordPress builds that have the API enabled by default (WP 4.7 and 4.7.1), was reported by Sucuri. It allows an unauthenticated user to modify the content of any post or page within a WordPress site.

As noted in the original release, public disclosure of the REST API vulnerability was delayed. WordPress shares the details of the disclosure process in Disclosure of Additional Security Fix in WordPress 4.7.2. Responsible disclosure of a vulnerability allows stakeholders reasonable time to mitigate risks (create, distribute and apply patches or take other steps to harden) before public disclosure occurs.

WordPress instances that are configured to update automatically got the update shortly after WP 4.7.2 was released on Thursday (2/2). The WordPress instance running this site had automatic updates disabled, and became an easy target. The attacker altered content of the latest post, as shown int the screenshot.

The issue has been fixed and the altered post content restored. If you see content similar to the above screenshot on any page, please leave us feedback in post comments on the affected page or here.

Disabling REST API in WordPress

Interestingly, there’s no setting to disable the REST API in WordPress. This has been a topic of discussion among WordPress developers and community.

Before WordPress 4.7, you could disable the REST API by adding the following lines to the WordPress instance’s functions.php file. It uses the rest_enabled filter. More details in Robert Abela’s article here.

add_filter(‘rest_enabled’, ‘_return_false’);
add_filter(‘rest_jsonp_enabled’, ‘_return_false’);

WordPress is likely to see more REST integrations and dependencies, so disabling REST API is not recommended. The rest_enabled filter has been deprecated in WordPress 4.7.

As always, it’s critical to keep software updated. That’s as true for WordPress as it is for operating systems, platform components, middle ware and applications. WordPress’ automatic update functionality seems to have worked for most users, but there’s likely a significant number of WordPress sites that don’t have it enabled.


Enable remote desktop (RDP) connections for admins on Windows Server 2016

Windows Server 2016 has reached the General Availability (GA) milestone today. You can download it from your volume licensing site or MSDN. You can also create Azure VMs with Windows 2016. The latest and greatest Windows Server has many new Remote Desktop features. See What’s New in Remote Desktop Services in Windows Server 2016 for […]

More →

BleachBit’s claim of permanently deleting emails from Exchange

In a recent news segment featuring BleachBit, Fox Business questioned whether Democratic presidential nominee Hillary Clinton may have used the software to permanently delete emails from her mail server. The segment features BleachBit lead developer Andrew Viem. Politics and click bait headlines aside, readers will find the claims interesting. How to delete secret emails from […]

More →

Google adds Microsoft Exchange support to Gmail app for Android

Google has announced Microsoft Exchange support in its Gmail client for Android. Exchange ActiveSync (EAS) is the ubiquitous protocol for mobile email clients to sync with Exchange Server, Office 365, and other products/services that license it. EAS support in the Gmail client now allows it to access both Exchange Server and Exchange Online, the on-premises […]

More →

Use a PowerShell function to find an email address in Exchange

Exchange admins frequently need to find an Exchange recipient with a specified email address, particularly for generic organizational addresses such as [email protected] Five and a half ways to find an email address in Microsoft Exchange and Active Directory lists a few ways to do it, including PowerShell. If you do this frequently, you can add […]

More →

Use a PowerShell function to get AutoDiscover XML

If you manage Exchange or support Exchange Online users, you may need to retrieve the AutoDiscover XML response. You can use the Test E-mail AutoConfiguration option in Outlook or the AutoDiscover tests in Microsoft Remote Connectivity Analyzer to retrieve the AutoDiscover response. The good news is you can also use a PowerShell one-liner or function […]

More →

Maximum number of In-Place Holds on a mailbox in Exchange 2013 and Office 365

Since the early days of In-Place Hold, the number floating around (and documented) is a maximum of five In-Place Holds before Exchange holds all content, but it’s incorrect. See the Updates section at the bottom of this article for the latest. In Exchange 2013 and Exchange Online, you can use In-Place Hold to place messages […]

More →

eDiscovery Limits and Throttling Policies in Exchange Server and Office 365

In Exchange 2013 and Exchange Online, In-Place eDiscovery allows you to search a large number of mailboxes. Although the searches are performed against the indexes built by Exchange Search, they can potentially consume significant system resources. In on-premises deployments, this generally happens in control of or with the knowledge of Exchange admins, who can and […]

More →

Archiving auto-forwarded messages in Exchange Online and Exchange Server

Microsoft Exchange can now preserve automatically forwarded messages if user is placed on Litigation Hold or In-Place Hold. Over the last few years, the Information Protection team has done a great job of implementing Compliance features in Exchange (and Office 365) such as Litigation Hold and In-Place Hold to preserve messages, eDiscovery to search and […]

More →

Issue with Symantec Enterprise Vault and Exchange 2013 fixed in Exchange 2013 CU8

Microsoft released Exchange Server 2013 Cumulative Update 8 (CU8) yesterday. See KB 3030080: Cumulative Update 8 for Exchange Server 2013 for more details, including a list of fixes included in CU8. Symantec has documented an issue with Symantec Enterprise Vault™, Symantec’s on-premises archiving solution, and Exchange 2013 CU6 and CU7. The corresponding Microsoft KBA Symantec […]

More →