WordPress Delayed Disclosure of a Major Zero-Day Vulnerability, Why?

Remember that post I wrote about the WordPress REST API? If not, check that article out. Should You Disable the WordPress REST API? Keep in mind that the WordPress REST API provides a robust set of features and functionality that represents the future of WordPress and like all things new, some kinks just needed to be ironed out.

The Delayed Disclosure

It was just disclosed that the WordPress security team secretly fixed a serious security flaw in the previous version of WordPress, with the 4.7.2 security update.
While they did disclose some of the fixes with the release of WordPress 4.7.2, there was one major issue that was fixed but wasn’t disclosed immediately.

Explanation from the WordPress Team

Aaron Campbell, a WordPress core maintainer stated “It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites,”

The reason for the delayed disclosure makes sense, while the vulnerability is related to the WordPress REST API, which is a new feature that was added into the WordPress core with version 4.7, it was severe enough that the WordPress Security Team wanted to first inform hosting providers, firewall providers, SiteLock, Cloudflare, Akamai, Incapsula and others who are all in the position to protect websites via their services and security products.

Who discovered the security flaw?

The bug was discovered by Marc-Alexandre Montpas, a security researcher from Sucuri.

So, what was the issue?

The security flaw could have given an attacker a way to add code into your website that could have injected ads, started an SEO spam campaign or infected your website with additional content.
Based on current information, it is believed that the security flaw was not exploited. It is recommended that you scan your website to make sure that things are the way they should be.
The team wanted to give enough time for website owners to update to the current version of WordPress which is 4.7.2. This was to ensure that the vulnerability wouldn’t be made known and acted upon by those looking to hack websites.

This is one reason why WordPress is such a respected platform. It is actively developed by a talented team, it’s an open source project which gives anyone the opportunity to analyze the code which is how the flaw was identified and the team behind WordPress is committed to responsible disclosure and open disclosure. WordPress has proven to be committed to keeping people in the know.
Sources:

The Takeaway

Hopefully you have already updated your WordPress Powered Website to the latest release 4.7.2 and you should continue to have confidence in the team that is actively working on the code for WordPress. Thankfully, it is an open source project and researchers like those from Sucuri are actively analyzing the code.

Get EVO PRO

Find Me On