Yet another vulnerability has been found in the Yoast WordPress plugin that can be exploited by attackers allowing them to control the site.
Just a week ago, the case was associated with WordPress SEO plugin that is being used by more than a million WordPress websites. However, this time the case is focused on the company’s Google Analytics plugin that seems to have been downloaded for about 7 million times
“Typically this can be used for arbitrary server-side code execution via the plugin or theme editors. Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target site,” he added.
The PoC for exploitation was also provided by Pynnonen since vulnerability has already been patched.
The flaw was revealed to Yoast on Wednesday, after which it release a new version (5.3.3) of the plug-in on Thursday. It is recommended that the user updated their plug-ins immediately.
Joost de Valk, the owner of Yoast told that there is no proof as to any incident that suggests the flaw had been exploited.
Demo video available below: