ID:125 - Exploit for Security bypass in WordPress - CVE-2017-1001000

Link to public exploit:

Vulnerability description

The vulnerability allows a remote attacker to inject arbitrary content.

The vulnerability exists due to web application fails to check privileges when processing requests sent via REST API in /wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php script. A remote attacker can send a specially crafted HTTP request to /wp-json/wp/v2/posts/{POST_ID} URL and post arbitrary content to your website.

Successful exploitation of the vulnerability may allow an attacker to perform phishing and drive-by-download attacks, spread spam content, etc. In certain cases this vulnerability can lead to remote PHP code execution leveraging functionality of third-party plugins.

Note: this vulnerability is being actively exploited in the wild.

Remediation