Nyambush
CVSS 7.5High

CVE-2017-1001000: REST API Defacement of 800K Sites

Overview

  • CVE: CVE-2017-1001000
  • Affected Versions: WordPress 4.7.0 to 4.7.1
  • CVSS: 7.5 (High)
  • Authentication: None required (unauthenticated attack)
  • Type: Privilege Escalation + Content Injection

In January 2017, a critical vulnerability was discovered in the REST API introduced in WordPress 4.7 that allowed unauthenticated attackers to modify any post on a WordPress site.

What Happened

The REST API endpoint /wp-json/wp/v2/posts/<id> introduced in WordPress 4.7 had a type juggling flaw in its parameter handling.

When a string was passed as the id parameter (e.g., 1?id=1abc), PHP's type coercion caused the permission check to be bypassed, allowing unauthenticated users to overwrite any post content.

Specifically, a request to /wp-json/wp/v2/posts/1?id=1abc would:

  1. Match post ID 1 in routing
  2. Evaluate id as 1abc during the permission check
  3. PHP's absint("1abc") returns 1, but the permission logic fails to function correctly
  4. Result: unauthenticated post update

How the Attack Works

The attack was remarkably simple:

POST /wp-json/wp/v2/posts/1?id=1abc HTTP/1.1
Host: target.com
Content-Type: application/json

{
  "title": "Hacked by ...",
  "content": "This site has been defaced."
}

A single HTTP request could overwrite any post. No authentication credentials were needed.

Attackers created automated scripts to scan and attack WordPress sites across the internet at massive scale.

Real-World Impact

The WordPress team silently released a patch (WordPress 4.7.2) on January 26, 2017, but attacks had already begun:

  • Within 48 hours of patch disclosure, attacks exploded in volume
  • Approximately 800,000 sites were defaced
  • Over 1.5 million pages were modified
  • At least 20 hacker groups carried out attacks simultaneously
  • Some sites had SEO spam links injected, causing search ranking drops
  • Defaced content appeared in Google search results

According to Sucuri's research, attack IP addresses numbered in the tens of thousands within one week of the patch release.

Fix and Lessons

Fix: Patched in WordPress 4.7.2. Proper type validation was added for the REST API ID parameter.

Lessons:

  1. Auto-update is essential: A mechanism to immediately apply patches is critical
  2. Silent patches have limits: The WordPress team intentionally delayed vulnerability disclosure by one week, yet massive attacks developed within 48 hours
  3. REST API risks: New features enabled by default should be disabled if not needed
  4. WAF value: Firewalls like Sucuri and Wordfence were blocking attacks even before the patch

Detection with Nyambush

Nyambush detects WordPress versions and cross-references them against known vulnerability databases. It also checks whether the REST API is enabled and warns when outdated WordPress versions are in use.

With scheduled scans, you receive immediate notifications when new vulnerabilities are disclosed. The window between patch release and active exploitation can be as short as a few hours.

Share this article:Post on X

Is your domain secure?

Run a free scan with Nyambush to check your security risks right now.

Back to articles