• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • April 20th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Security

WordPress Google Analytics Plugin by Yoast Vulnerable to critical site-hijacking

March 21st, 2015 Waqas Security 0 comments
WordPress Google Analytics Plugin by Yoast Vulnerable to critical site-hijacking
Share on FacebookShare on Twitter

Yet another vulnerability has been found in the Yoast WordPress plugin that can be exploited by attackers allowing them to control the site.

Just a week ago, the case was associated with WordPress SEO plugin that is being used by more than a million WordPress websites. However, this time the case is focused on the company’s Google Analytics plugin that seems to have been downloaded for about 7 million times

Jouko Pynnonen from Finland is the researcher who has discovered the security flaw, says the vulnerability “allows an unauthenticated attacker to store arbitrary HTML, including JavaScript, in the WordPress administrator’s Dashboard on the target system. The JavaScript will be triggered when an administrator views the plug-in’s settings panel. No further user interaction is required.”

wordpress-google-analytics-plugin-by-yoast-vulnerable-to-critical-site-hijacking

“Typically this can be used for arbitrary server-side code execution via the plugin or theme editors. Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target site,” he added.

See Also: Vulnerability in WordPress Plugin Allows Hackers to take full control of website

The PoC for exploitation was also provided by Pynnonen since vulnerability has already been patched. 

The flaw was revealed to Yoast on Wednesday, after which it release a new version (5.3.3) of the plug-in on Thursday. It is recommended that the user updated their plug-ins immediately.

Joost de Valk, the owner of Yoast told that there is no proof as to any incident that suggests the flaw had been exploited.

See Also: WordPress Default Leaves Millions of Sites Vulnerable to DDoS Attacks

Google Analytics shows property names containing Javascript code and the list of profiles can prove to be really hazardous. The admin could be a victim of a harsh XSS attack when he/she visits the setting page because the company did not evade the property names on output properly. The attacker will find difficulty in automating this, however, if someone wanted to target someone else’s site, he/she could.

Demo video available below:

Follow @HackRead

  • Tags
  • hacking
  • Plugin
  • security
  • Vulnerability
  • Wordpress
Facebook Twitter LinkedIn Pinterest
Previous article China Blocks Reuters Website After DDoS Attack On The Great Firewall of China
Next article Apple removes antivirus apps from iOS App Store
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
WhatsApp Pink is malware spreading through group chats

WhatsApp Pink is malware spreading through group chats

2021 and Emerging Cybersecurity Threats

2021 and Emerging Cybersecurity Threats

Unpatched MS Exchange servers hit by cryptojacking malware

Unpatched MS Exchange servers hit by cryptojacking malware

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Hackers claims to be selling 13tb of Domino’s India data
Hacking News

Hackers claims to be selling 13tb of Domino’s India data

WhatsApp Pink is malware spreading through group chats
Security

WhatsApp Pink is malware spreading through group chats

A hacker claims to be selling sensitive data from OTP generating firm
Hacking News

A hacker claims to be selling sensitive data from OTP generating firm

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us