Automated Detection of WordPress Content Injection Vulnerability
Md. Maruf Hassan Touhid Bhuiyan
Daffodil International University, Daffodil International University,
Dhaka, Bangladesh Dhaka, Bangladesh
maruf.swe@diu.edu.bd t.bhuiyan@daffodilvarsity.edu.bd
AbstractGiven the increasing need of clients for web
applications, the use of content management systems (CMS) is on
the rise. Nowadays, the most popular CMS is WordPress. Almost
32% of all CMS applications are developed in WordPress.
However, in a recent study, versions 4.7.0 and 4.7.1 of the
WordPress CMS have shown to have a vulnerability called
WordPress content injection vulnerability [1][2] This paper aims
to discuss the WordPress content injection vulnerability and
provide a detection system to identify this vulnerability using
preventive techniques that help to keep the web application user
more secure. In our research, we study almost 200 CMS web
applications and find most of these applications to be vulnerable
owing to a default vulnerable page and fewer updated versions.
To help avoid this vulnerability, we provide tools that can detect
this vulnerability. Based on our research, we develop a tool that
detects the WordPress content injection vulnerability and provide
preventive techniques.
KeywordsWordPress content injection vulnerability; CMS;
Detection Tools; prevention
I. INTRODUCTION
Nowadays, more than 3.6 billion people across the world use
the Internet and different web applications via an array of
devices due to their usability and easy anywhere, anytime
access [3]. In fact, web applications form the first step towards
automating day-to-day activities and upgrading existing
solutions. As a result, most organizations and service providers
in industrial, banking, government, educational, medical, and
other sectors use web applications to provide their services.
Although people need to use web applications, there is a high
risk of cyber attackers exploiting the weakness of these web
applications. According to OWASP and SANS [4][5], some of
the most common vulnerabilities of web applications are SQLi,
broken authentication and session management, XSS, CSRF,
security misconfiguration, LFI, LFD, unprotected APIs, and
buffer overflow.
In recent years, considerable effort has been made to
understand and deal with this problem. For instance,
organizations such as MITRE, SANS, and OWASP have
developed security awareness programmes to help companies
deal with the issue. Notwithstanding these efforts, a recent
study [6] shows that application developers are yet unable to
implement effective countermeasures for web application
vulnerabilities. The frequent occurrence of web application
vulnerability may be ascribed to careless coding and lack of
knowledge of cyber security.
To find this vulnerability in an automated way, different
researchers have proposed scanning or detection tools based on
different models. Some studies also compare the effectiveness
of various existing tools.
Saikat Biswas Md. Hasan Sharif
Daffodil International University Daffodil International
Dhaka, Bangladesh University, Dhaka, Bangladesh
saikatbiswas440@gmail.com hasan543@diu.edu.bd
In a recent research, the most popular WordPress CMS has
been found to contain a vulnerability called WordPress content
injection vulnerability. In our study, we develop a detection
tool that will help detect this vulnerability. In this paper, we
briefly discus the WordPress content injection vulnerability and
its detection techniques, besides providing preventive
measures.
This paper is structured into eight sections. Section 2 contains
a literature review. Section 3 gives a background to the
WordPress content injection vulnerability and its impact on
websites. After developing the detection tools, we provide the
detection process in Section 4. Using the tools, we collect data
and perform data analysis in Section 5. The causes of the
content injection vulnerability and the various preventive
techniques are provided in Section 6. The conclusion of the
research is provided in Section 7. Finally, Section 8 provides
outlook for future research.
II. LITERATURE REVIEW
In our research, we came across several studies on SQLi, XSS,
CSRF, RCE, LFI, LFD code injection, and buffer overflow [7]
[8][9][10][11]. Some studies also proposed models for
detecting this vulnerability [12][13][14][15][16][17], while
some developed scanning or detection tools based on their
proposed models [18][19][20][21][22][23][24][25][26][27].
Some researchers also performed analysis-based research on
the existing tools [16][28][29]. Few studies also dealt with
WordPress vulnerability [30][31]. However, we did not find
any research on WordPress content injection vulnerability,
which is the most recently detected vulnerability. In this paper,
our is focus on the WordPress content injection vulnerability
with automated detection tools and its preventive techniques.
III. BACKGROUND STUDY
A. What is WordPress Content Injection?
The WordPress content injection vulnerability is a privilege
escalation vulnerability that allows an unauthenticated user to
modify the content of any post or page on a WordPress site.
B. Why is WordPress Injection a Major Vulnerability?
This privilege escalation vulnerability affects the WordPress
REST API, which was recently added and enabled by default
on WordPress 4.7.0. One of these REST endpoints allows
access (via the API) to view, edit, delete, and create posts.
Within this endpoint, a subtle bug allows visitors to edit any
post on the site. The REST API is enabled by default on all
sites using WordPress 4.7.0 or 4.7.1. If your website happens to
be built on these versions of WordPress, then it is currently
vulnerable to this bug.
C. Impact of WordPress Content Injection Vulnerability:
As already mentioned, the WordPress content injection
vulnerability is a privilege escalation bug that allows
unauthorized users to edit any post or content of a WordPress
site. The impact and consequences of SQL injection attacks can
be classified as follows:
1. Confidentiality: Loss of confidentiality is a major
problem with WordPress content injection attacks.
Since this is a privilege escalation vulnerability,
unauthorized persons get access to sensitive data such
as edit and other privileges.
2. Integrity: A successful WordPress content injection
attack allows an external source to make unauthorized
modifications by altering or even editing information
from target web sites.
3. Authorization: Successful exploitation of the
WordPress content injection vulnerability allows an
attacker to change authorization information and gain
elevated privileges.
Nowadays, cyberattacks pose a major threat to web
applications. The recently released WordPress CMS web
application vulnerability is a kind of injection vulnerability that
gives an attacker the privilege to make changes to a web
application by editing posts, etc.
IV. WORDPRESS CONTENT INJECTION
VULNERABILITY DETECTION
The WordPress CMS has remained popular since 2003. Being
open source and user-friendly, it became the mostly widely
used CMS. The Secure Sucuri Firm has listed about 6,143
vulnerabilities from their projects and most of them are
handled and patched by their lab experts. However this newly 0
day vulnerability, Content Injection Vulnerability is conducting
with the REST API directly, in fact in these case it is also
allowing as content injection as well as privilege escalation. In
this case, the vulnerability might lead the normal user of the
infected versions 4.7.0 and 4.7.1 to alter the data lists of the
specific pages of the application.
Diagram: 1.0
A. Process of Conducting a Manual Injection:
For the general structural procedure, one first needs to know
the CMS versions of the web application. If it is from the
affected versions, the vulnerable content page must be
searched:
http://SomeWordpressSite.com/index.php/wp-
json/wp/v2/posts/5
If the following content page/post is found in the system, it
should be injected by any regular user. Our vulnerable page
shows the following error/broken html pages:
[{"id":123907,"date":"2017-03-
29T13:52:56","date_gmt":"2017-03-29T20:52:56","guid":
{"rendered":"https:\/\/www.demosite.com\/?
p=123907"},"modified":"2017-03-
29T13:53:12","modified_gmt":"2017-03-
29T20:53:12","slug":"yubihsm-2-open-beta-
It prioritizes $_GET and $_POST values over the ones
generated by the routes regular expression, thus making it
possible for an attacker to send a request like: /wp-
json/wp/v2/posts/5?id=5testpage.
The following get_instance() static method in WordPress is
used to grab posts.
To conduct an injection, one has to reply to the POST-ID using
http $POST methods.
{"id" : "5Test", "title" : "Checking for injection", "content" :
"here is the vulnerable page"}
With the REST API already enabled in the vulnerable version,
our html request will get executed and appear in the
vulnerable URL. It might also cause a serious remote code
execution (RCE) and JavaScript injection on the server, and
become fully controlled if a web shell is executed. Our tool
will get the response from the web APIs about the demo sites,
and if the response comes from the infected versions, the tool
will search for the vulnerable pages that might lead to an
injection.
 V. RESULT ANALYSIS
A. Result-based Analysis
According to Graph 01, out of the 200 investigated WordPress
web applications, 177 were vulnerable while 33 were not
vulnerable. This shows that a large number of WordPress
websites still contain this injection vulnerability.
Graph 01: WordPress content injection vulnerability found
and not found
B. Version-based Analysis:
In our analysis, we found that 106 vulnerable websites had
WordPress version 4.7.0 and 71 websites had version 4.7.1.
This is the result we got from our research, but this ratio can
vary in other cases. Therefore, we have to take proper
measures to be safe from this vulnerability.
Graph 02: Version-based vulnerability
C. Analysis based on the level of risk creating WordPress
content injection vulnerability:
The risk level is understood as the impact of compromising
critical information that could be retrieved from the websites
due to the WordPress content injection vulnerability. We have
categorized the risk into four different levelscritical, high,
medium, and low. The statistics of the given risk level are
shown in Graph 03. Based on our data set, 31% risk is
considered critical since the intruder can get full control of the
host server and the admin panel of the web application. As
many as 46% of websites are marked as high-risk sites, which
can be exploited easily by an outsider, causing serious harm to
the host server. In this review, 15% and 8% sites are
considered medium and low, respectively, in terms of the risk
of being exploited by the WordPress content injection
vulnerability.
Graph 03: Levels of risk caused by WordPress content
injection vulnerability
D. Access-based Result:
We found 140 vulnerable websites with specific access to a
page or post. On the other hand, we were able to get full
access in 37 web applications.
Graph: Access-based Analysis
VI. PREVENTION TECHNIQUES
Every WordPress installation makes a request to this server
about once an hour to check for a plugin, theme, or WordPress
core update for general prevention of regular ma.newly
disclosed vulnerability The response from this server contains
information about any newer versions that may be available,
including if the plugin, theme, or core needs to be updated
automatically. It also includes a URL to download and install
the updated software. Otherwise, developers need to change the
permission of generating new pages for accepting malicious
requests from unauthorized users and execute them to the
server.
VII. CONCLUSION
In our research, we scanned more than 200 WordPress CMS
4.7.0 and 4.7.1 web applications from across the world. We
found that the WordPress content injection vulnerability is
common for these two versions. In most cases, this
vulnerability occurs in json/wp/b2/posts as default directories.
The WordPress content injection vulnerability is a privilege
escalation that allows an unauthorized user to modify the
content of any post or page on a WordPress site. Thus, proper
preventive measures should be taken to forestall this
vulnerability. The first measure involves updating the
WordPress version. However, if updating this vulnerability is
not possible, it is recommended to delete the default vulnerable
page.
VIII. FUTURE WORK
1. We will enhance the detection tools by adding more
features like SQLi, XSS, RCE, broken authentication
etc.
REFERENCES
[1] Statistics for websites using CMS technologies 2017 [online] available:
https://trends.builtwith.com/cms accessed [14 April 2017].
[2] Content Injection Vulnerability in WordPress 2017 [online] available:
https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-
api.html accessed [13 April 2017]
[3] Internet users in the world 2017 [online] available:
http://www.internetlivestats.com/internet-users/ accessed [12 April 2017].
[4] OWASP top ten vulnerability list 2017 [online] available:
https://www.sans.org/top25-software-errors/ accessed [14 April 2017]
[5] CWE/SANS Top 25 Dangerous Software errors 2017 [online] available:
https://www.sans.org/top25-software-errors/ accessed [12 April 2017]
[6] CWE-89: Improper Neutralization of Special Elements used in an SQL
Command ('SQL Injection') 2017[online] available:
http://cwe.mitre.org/data/definitions/89.html accessed [14 April 2017]
[7] N. I. Daud, K. A. A. Bakar and M. S. M. Hasan, "A case study on web
application vulnerability scanning tools," 2014 Science and Information
Conference, London, 2014, pp. 595600.
[8] H. Shahriar and M. Zulkernine, "Client-Side Detection of Cross-Site
Request Forgery Attacks," 2010 IEEE 21st International Symposium on
Software Reliability Engineering, San Jose, CA, 2010, pp. 358367.
[9] T. Farah, M. Shojol, M. Hassan and D. Alam, "Assessment of
vulnerabilities of web applications of Bangladesh: A case study of XSS &
CSRF," 2016 Sixth International Conference on Digital Information and
Communication Technology and its Applications (DICTAP), Konya, 2016, pp.
7478.
[10] D. Alam, M. A. Kabir, T. Bhuiyan and T. Farah, "A Case Study of SQL
Injection Vulnerabilities Assessment of .bd Domain Web Applications," 2015
Fourth International Conference on Cyber Security, Cyber Warfare, and
Digital Forensic (CyberSec), Jakarta, Indonesia, 2015, pp. 7377.
[11] T. Farah, D. Alam, M. N. B. Ali and M. A. Kabir, "Investigation of
Bangladesh region based web applications: A case study of 64 based, local,
and global SQLi vulnerability," 2015 IEEE International WIE Conference on
Electrical and Computer Engineering (WIECON-ECE), Dhaka, 2015, pp.
177180
[12] D. Huluka, O. Popov, Root Cause Analysis of Session Management and
Broken Authentication, World Congress on Internet Security (WorldCIS-
2012).
[13] V. M. Nadar, M. Chattergee, L. Jacob, Detection Model for CSRF and
Broken Authentication and Session Management Attack, International
Journal of Computer Science and Information Technologies, Vol.7(4), 2016,
18011804.
[14] L. Dukes, X. Yuan and F. Akowuah, "A case study on web application
security testing with tools and manual testing," 2013 Proceedings of IEEE
Southeastcon, Jacksonville, FL, 2013, pp. 16.
[15] D. Gol and N. Shah, "Detection of web application vulnerability based on
RUP model," 2015 National Conference on Recent Advances in Electronics &
Computer Engineering (RAECE), Roorkee, 2015, pp. 96100.
[16] A. Tajpour and M. J. z. Shooshtari, "Evaluation of SQL Injection
Detection and Prevention Techniques," 2010 2nd International Conference on
Computational Intelligence, Communication Systems and Networks,
Liverpool, 2010, pp. 216221.
[17] H. Shahriar and M. Zulkernine, "Client-Side Detection of Cross-Site
Request Forgery Attacks," 2010 IEEE 21st International Symposium on
Software Reliability Engineering, San Jose, CA, 2010, pp. 358367.
[18] K. Bhargavan, A. D. Lavaud, C. Fournet, A. Pironti and P. Y. Strub,
"Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication
over TLS," 2014 IEEE Symposium on Security and Privacy, San Jose, CA,
2014, pp. 98113.
[19] Q. Zhang, H. Chen and J. Sun, "An execution-flow based method for
detecting Cross-site Scripting attacks," The 2nd International Conference on
Software Engineering and Data Mining, Chengdu, China, 2010, pp. 160165.
[20] G. Agosta, A. Barenghi, A. Parata and G. Pelosi, "Automated Security
Analysis of Dynamic Web Applications through Symbolic Code
Execution," 2012 Ninth International Conference on Information Technology
- New Generations, Las Vegas, NV, 2012, pp. 189194.
[21] Zhushou Tang, Haojin Zhu, Zhenfu Cao and Shuai Zhao, "L-WMxD:
Lexical based Webmail XSS Discoverer," 2011 IEEE Conference on
Computer Communications Workshops (INFOCOM WKSHPS), Shanghai,
2011, pp. 976981.
[22] N. Antunes and M. Vieira, "Benchmarking Vulnerability Detection Tools
for Web Services," 2010 IEEE International Conference on Web Services,
Miami, FL, 2010, pp. 203210.
[23] E. Galn, A. Alcaide, A. Orfila and J. Blasco, "A multi-agent scanner to
detect stored-XSS vulnerabilities," 2010 International Conference for Internet
Technology and Secured Transactions, London, 2010, pp. 16.
[24] J. Bau, E. Bursztein, D. Gupta and J. Mitchell, "State of the Art:
Automated Black-Box Web Application Vulnerability Testing," 2010 IEEE
Symposium on Security and Privacy, Oakland, CA, USA, 2010, pp. 332345.
[25] B. Delamore and R. K. L. Ko, "Escrow: A Large-Scale Web Vulnerability
Assessment Tool," 2014 IEEE 13th International Conference on Trust,
Security and Privacy in Computing and Communications, Beijing, 2014, pp.
983988.
[26] B. Eshete, A. Villafiorita and K. Weldemariam, "Early Detection of
Security Misconfiguration Vulnerabilities in Web Applications," 2011 Sixth
International Conference on Availability, Reliability and Security, Vienna,
2011, pp. 169174.
[27] Z. Djuric, "A black-box testing tool for detecting SQL injection
vulnerabilities," 2013 Second International Conference on Informatics &
Applications (ICIA), Lodz, 2013, pp. 216221.
[28] R. Johari and P. Sharma, "A Survey on Web Application Vulnerabilities
(SQLIA, XSS) Exploitation and Security Engine for SQL Injection," 2012
International Conference on Communication Systems and Network
Technologies, Rajkot, 2012, pp. 453458.
[29] Atefeh Tajpour, Mohammad Zaman Heydari, Maslin Masrom and
Suhaimi Ibrahim, "SQL injection detection and prevention tools
assessment," 3rd International Conference on Computer Science and [31] Felt, Adrienne Porter, et al. "Diesel: applying privilege separation to
Information Technology, Chengdu, 2010, pp. 518522. database access." Proceedings of the 6th ACM symposium on information,
[30] T. Koskinen, P. Ihantola and V. Karavirta, "Quality of WordPress Plug- computer and communications security. ACM, 2011.
Ins: An Overview of Security and User Ratings," 2012 International
Conference on Privacy, Security, Risk and Trust and 2012 International
Conference on Social Computing, Amsterdam, 2012, pp. 834837.