According to web security firm Sucuri, who detected the attacks after details of the vulnerability became public last Monday, the attacks have been slowly growing, reaching almost 3,000 defacements per day.

Attackers are exploiting a vulnerability in the WordPress REST API, which the WordPress team fixed almost two weeks ago, but for which they published public details last Monday.

The vulnerability allows a remote attacker to craft an HTTP request that pings a REST API endpoint and alters titles and content on the user’s website.

Exploiting the flaw is trivial, and according to Sucuri, a few public exploits have been published online since last week.

Over 67,000 websites defaced already

Even if the vulnerability affects only WordPress 4.7.0 and 4.7.1 and the CMS has a built-in auto-update feature for security issues, many websites haven’t been updated.

Based on data collected from Sucuri’s honeypot test servers, four attackers have been busy in the past week trying to exploit the flaw.

Since the attacks have been going on for some days, Google has already started to index some of these defacements.

Currently, the groups using the REST API flaw to deface websites are only doing it for public brand exposure, only altering page titles and their content by adding their own name.
One of the defaced sites

Sucuri’s CTO, Daniel Cid, expects to see professional defacers enter the fold, such as SEO spam groups that will utilize the vulnerability to post more complex content, such as links and images.

This types of defacements are used to boost the SEO ranking of other sites or promote shady products. Websites that suffer from SEO-targeted defacements also have their SERP (Search Engine Result Page) indicator affected and risk losing their reputation on search engines, which in turns drives down traffic to their site.

Website owners are advised to update to WordPress 4.7.2. as soon as possible in order to avoid losing visibility on Google due to this REST API security issue.

Source: Bleeping Computer