This post was originally published on February 6, 2017
The latest update to this post was made 6 years ago.
Urgent WordPress Upgrade Alert
For those running WordPress to host their blogs/website, please be aware a recent vulnerability has been discovered on WordPress v4.7.1 and older that allows remote execution of some SQL commands. Attackers can use this exploit to trash your articles/blog! The fix is quit simple, just make sure everything is up to date, especially WordPress itself!
Released from the Department Of Homeland Security on 1-29-2017
- Affected Platform: WordPress
- Severity: Urgent
- Source 1: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5611
- Source 2: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release
SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before v4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name.
Login to your WordPress site and run updates on any plugins, themes and WordPress itself. You should be running WordPress v4.7.2 or higher to correct this vulnerability.
We just experienced this vulnerability in action on one of our other websites. The attacker was able to replace one of our articles with Turkish hacker garbage. Recovery was fairly simple, just track down to the bottom of your post and restore an earlier version.