• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • January 22nd, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Security

WordPress Google Analytics Plugin by Yoast Vulnerable to critical site-hijacking

March 21st, 2015 Waqas Security 0 comments
WordPress Google Analytics Plugin by Yoast Vulnerable to critical site-hijacking
Share on FacebookShare on Twitter

Yet another vulnerability has been found in the Yoast WordPress plugin that can be exploited by attackers allowing them to control the site.

Just a week ago, the case was associated with WordPress SEO plugin that is being used by more than a million WordPress websites. However, this time the case is focused on the company’s Google Analytics plugin that seems to have been downloaded for about 7 million times

Jouko Pynnonen from Finland is the researcher who has discovered the security flaw, says the vulnerability “allows an unauthenticated attacker to store arbitrary HTML, including JavaScript, in the WordPress administrator’s Dashboard on the target system. The JavaScript will be triggered when an administrator views the plug-in’s settings panel. No further user interaction is required.”

wordpress-google-analytics-plugin-by-yoast-vulnerable-to-critical-site-hijacking

“Typically this can be used for arbitrary server-side code execution via the plugin or theme editors. Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target site,” he added.

See Also: Vulnerability in WordPress Plugin Allows Hackers to take full control of website

The PoC for exploitation was also provided by Pynnonen since vulnerability has already been patched. 

The flaw was revealed to Yoast on Wednesday, after which it release a new version (5.3.3) of the plug-in on Thursday. It is recommended that the user updated their plug-ins immediately.

Joost de Valk, the owner of Yoast told that there is no proof as to any incident that suggests the flaw had been exploited.

See Also: WordPress Default Leaves Millions of Sites Vulnerable to DDoS Attacks

Google Analytics shows property names containing Javascript code and the list of profiles can prove to be really hazardous. The admin could be a victim of a harsh XSS attack when he/she visits the setting page because the company did not evade the property names on output properly. The attacker will find difficulty in automating this, however, if someone wanted to target someone else’s site, he/she could.

Demo video available below:

Follow @HackRead

  • Tags
  • hacking
  • Plugin
  • security
  • Vulnerability
  • Wordpress
Facebook Twitter LinkedIn Pinterest
Previous article China Blocks Reuters Website After DDoS Attack On The Great Firewall of China
Next article Apple removes antivirus apps from iOS App Store
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
Shazam Vulnerability exposed location of Android, iOS users

Shazam Vulnerability exposed location of Android, iOS users

Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping

Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Shazam Vulnerability exposed location of Android, iOS users
Security

Shazam Vulnerability exposed location of Android, iOS users

46
Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet
Security

Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

80
Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping
Security

Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping

104

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us