cve/2017/CVE-2017-1001000.md

### [CVE-2017-1001000](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1001000)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI.

### POC

#### Reference
- https://gist.github.com/leonjza/2244eb15510a0687ed93160c623762ab

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/FishyStix12/BH.py-CharCyCon2024
- https://github.com/FishyStix12/WHPython_v1.02
- https://github.com/Vayel/docker-wordpress-content-injection
- https://github.com/YemiBeshe/Codepath-WP1
- https://github.com/hom3r/wordpress-4.7
- https://github.com/justinw238/codepath_7_jlw15
- https://github.com/sarcox/WPPentesting