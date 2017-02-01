Hacker News new | comments | show | ask | jobs | submit login
Another wordpress core exploit in the wild (sucuri.net)
This privilege escalation vulnerability affects the WordPress REST API that was recently added and enabled by default on WordPress 4.7.0.

So basically people who updated religiously were hit, and those who did not, were fine.

I am left wondering if running wordpress sites in read-only state (both files and database) should be the only reasonably safe method.

A lot of people run the files with php ownership (so they could update via /wp-admin, or they just don't care) which opens the site to be exploited by any vuln plugin/theme

But now it looks like even running proper permissions (NOT www-data) on files is no longer enough, and we should consider mysql in read-only state when no editing is happening...

VERY SAD.

