WordPress Google Analytics Plugin by Yoast Vulnerable to critical site-hijacking

Yet another vulnerability has been found in the Yoast WordPress plugin that can be exploited by attackers allowing them to control the site.

Just a week ago, the case was associated with WordPress SEO plugin that is being used by more than a million WordPress websites. However, this time the case is focused on the company’s Google Analytics plugin that seems to have been downloaded for about 7 million times

Jouko Pynnonen from Finland is the researcher who has discovered the security flaw, says the vulnerability “allows an unauthenticated attacker to store arbitrary HTML, including JavaScript, in the WordPress administrator’s Dashboard on the target system. The JavaScript will be triggered when an administrator views the plug-in’s settings panel. No further user interaction is required.”

wordpress-google-analytics-plugin-by-yoast-vulnerable-to-critical-site-hijacking

“Typically this can be used for arbitrary server-side code execution via the plugin or theme editors. Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target site,” he added.

See Also: Vulnerability in WordPress Plugin Allows Hackers to take full control of website

The PoC for exploitation was also provided by Pynnonen since vulnerability has already been patched. 

The flaw was revealed to Yoast on Wednesday, after which it release a new version (5.3.3) of the plug-in on Thursday. It is recommended that the user updated their plug-ins immediately.

Joost de Valk, the owner of Yoast told that there is no proof as to any incident that suggests the flaw had been exploited.

See Also: WordPress Default Leaves Millions of Sites Vulnerable to DDoS Attacks

Google Analytics shows property names containing Javascript code and the list of profiles can prove to be really hazardous. The admin could be a victim of a harsh XSS attack when he/she visits the setting page because the company did not evade the property names on output properly. The attacker will find difficulty in automating this, however, if someone wanted to target someone else’s site, he/she could.

Demo video available below:


Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.