CVE-2019-17673
📋 TL;DR
WordPress sites running versions before 5.2.4 are vulnerable to cache poisoning attacks on JSON GET requests due to missing Vary: Origin headers. This allows attackers to serve malicious cached content to users. All WordPress installations using affected versions with REST API endpoints accessible are potentially impacted.
💻 Affected Systems
- WordPress
📦 What is this software?
Wordpress by Wordpress
⚠️ Risk & Real-World Impact
Worst Case
Attackers could poison cache to serve malicious JavaScript or redirect users to phishing sites, potentially leading to credential theft or malware distribution.
Likely Case
Cache poisoning leading to content manipulation, defacement, or serving malicious scripts to users accessing REST API endpoints.
If Mitigated
With proper cache controls and updated WordPress, the vulnerability is eliminated and no impact occurs.
🎯 Exploit Status
Exploitation requires understanding of cache poisoning techniques and access to REST API endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: WordPress 5.2.4 and later
Vendor Advisory: https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
Restart Required: No
Instructions:
1. Log into WordPress admin dashboard. 2. Navigate to Dashboard > Updates. 3. Click 'Update Now' if WordPress 5.2.4 or later is available. 4. Alternatively, manually update by downloading latest version from wordpress.org and replacing files via FTP/SFTP.
🔧 Temporary Workarounds
Disable REST API caching
allConfigure caching systems to not cache REST API JSON responses or add Vary: Origin headers manually.
# For nginx: add_header Vary Origin always; in location block for REST API
# For Apache: Header always set Vary Origin in .htaccess for REST API routes
🧯 If You Can't Patch
- Implement WAF rules to block suspicious cache poisoning attempts targeting REST API endpoints.
- Disable or restrict access to REST API endpoints if not required, using plugins or server configuration.
🔍 How to Verify
Check if Vulnerable:
Check WordPress version in admin dashboard or via wp-includes/version.php. If version is below 5.2.4, site is vulnerable.Check Version:
grep '\$wp_version' wp-includes/version.phpVerify Fix Applied:
After update, confirm version is 5.2.4 or higher. Test REST API endpoints to ensure Vary: Origin header is present in responses.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to REST API endpoints with crafted Origin headers
- Cache misses/poisoning events in caching system logs
Network Indicators:
- HTTP requests with manipulated Origin headers targeting wp-json endpoints
- Cache poisoning patterns in traffic
SIEM Query:
source="web_logs" AND (uri="/wp-json/*" OR uri="/?rest_route=*") AND (header="Origin: *" OR cache_status="HIT" with suspicious content)🔗 References
- https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
- https://core.trac.wordpress.org/changeset/46478
- https://github.com/WordPress/WordPress/commit/b224c251adfa16a5f84074a3c0886270c9df38de
- https://seclists.org/bugtraq/2020/Jan/8
- https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
- https://wpvulndb.com/vulnerabilities/9911
- https://www.debian.org/security/2020/dsa-4599
- https://www.debian.org/security/2020/dsa-4677
- https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
- https://core.trac.wordpress.org/changeset/46478
- https://github.com/WordPress/WordPress/commit/b224c251adfa16a5f84074a3c0886270c9df38de
- https://seclists.org/bugtraq/2020/Jan/8
- https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
- https://wpvulndb.com/vulnerabilities/9911
- https://www.debian.org/security/2020/dsa-4599
- https://www.debian.org/security/2020/dsa-4677
