By Gary Nugent

Yoast SEO WordPress plugin security vulnerability

When you build sites with Wordpress, it is essential to use an SEO plugin to prevent indexing of tags, categories etc which otherwise results in duplicate content on your site.

The plugin I recommend is Yoast SEO (it’s freely available), which is an amazing plugin. It’s a plugin I use on every site I build for myself and clients.

However, a major security vulnerability has been found (and now corrected) in the plugin.

So if you use the plugin on your WP blogs, it’s vital to download and install the updated version of Yoast, which is freely available. That is version 1.7.4.

Who Is Affected?

Tens of Millions of websites are at risk of being hacked by the attackers. The Yoast SEO plugin has been downloaded more than 14 Million times, making it one of the most popular plugins for WordPress for easily optimizing websites for search engines i.e Search engine optimization (SEO).

Many webmasters build more than one blog, so that’s why potentially tens of millions of sites are at risk.

All versions of the plugin prior and up to V1.7.3.3 are vulnerable.

What Is The Security Vulnerability?

It’s what is know as a Blind SQL Injection vulnerability. This is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the response of the application. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

What this means is that it can be used to insert an SQL query into the database to either extract data, modify data or delete data. It is often used to insert unwanted or unauthorized affiliate, spam links, or malware/adware on sites.

SQL injection (SQLi) vulnerabilities are ranked as critical one because they could cause a database breach and lead to confidential information leakage.

The actual security fix for the plugin says:

Security fix: fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor. Added strict sanitation to order_by and order params. Added extra nonce checks on requests sending additional parameters. Minimal capability needed to access the bulk editor is now Editor. Thanks Ryan Dewhurst from WPScan for discovering and responsibly disclosing this issue.

The Yoast team announced that the WordPress development team actually automatically pushed an update to WordPress installs that run an older version of this plugin. So many sites running this should be automatically updated. But don’t rely on this being the case with your own site. Manually check which version of the plugin your site is using and update to V1.7.4 regardless.

How The Vulnerability Works

Certain things need to happen before the vulnerability can be exploited. An outside hacker can’t trigger this vulnerability itself because the flaw actually resides in the ‘admin/class-bulk-editor-list-table.php‘ file, which is authorized to be accessed by WordPress Admin, Editor or Author privileged users only.

So, in order for a success exploit to occur, it has to be triggered by authorized users only. This is where social engineering comes into the equation, where an attacker can trick an authorized user to click on a specially crafted payload exploitable URL.

If the authorized WordPress user falls victim to the attack, this could allow the exploit to execute arbitrary SQL queries on the victim’s WordPress web site.

So beware of clicking on any links in emails, messages, and social media sites that look suspicious.

So go update the Yoast SEO plugin on your sites right now.

Tagged with:

Filed under: WordPress Security