Attacks on WordPress sites which contain the REST API flaw have increased significantly, with 1.5 million pages defaced.
The WordPress REST API vulnerability allows a remote attacker to craft an HTTP request that pings a REST API endpoint and alters titles and content on the user’s website.
Exploiting the flaw is trivial and according to Sucuri, a few public exploits have been published online since last week.
“Even if the vulnerability affects only WordPress 4.7.0 and 4.7.1 and the CMS has a built-in auto-update feature for security issues, many websites haven’t been updated,” said Sucuri.
Web security firm WordFence said the latest number of compromised pages stands at 1.5 million – with 20 hacking groups involved in a defacement turf war.
To protect a WordPress site against the attacks, update it to the most recent version (v4.7.2).