As part of a vulnerability research project for our Sucuri Firewall (WAF), we have been auditing multiple open source projects looking for security issues. While working on WordPress, we discovered was a severe content injection (privilege escalation) vulnerability affecting the REST API. This vulnerability allows an unauthenticated user to modify the content of any post or page within a WordPress site.

We disclosed the vulnerability to the WordPress Security Team who handled it extremely well.

Continue reading Content Injection Vulnerability in WordPress at Sucuri Blog.

Via Sucuri.net