CVE-2017-1001000

HIGH EXPLOITED

WordPress 4.7.x < 4.7.2 - Unauthenticated Arbitrary Page Modification via REST API Endpoint

Title source: llm

Exploitation Summary

CVE-2017-1001000 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Marc Montpas, wvu, including a Metasploit module auxiliary/scanner/http/wordpress_content_injection.

AI-analyzed exploit summary This Metasploit module exploits a content injection vulnerability in WordPress 4.7 and 4.7.1 via type juggling in the REST API. It allows listing and updating posts without authentication.

Description

The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI.

Exploits (1)

metasploit WORKING POC

by Marc Montpas, wvu · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wordpress_content_injection.rb

View Code ZIP pw:eip

This Metasploit module exploits a content injection vulnerability in WordPress 4.7 and 4.7.1 via type juggling in the REST API. It allows listing and updating posts without authentication.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: WordPress 4.7 and 4.7.1

No auth needed

Prerequisites: WordPress REST API enabled · WordPress version 4.7 or 4.7.1

MITRE ATT&CK