• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • December 16th, 2019
  • Home
  • About Us
  • Team
  • Advertise
  • Submit News
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Google+
    • Linkedin
    • Youtube
Home » Security » WordPress SEO by Yoast’ Plugin Vulnerable to Hackers, Affecting Millions Worldwide

WordPress SEO by Yoast’ Plugin Vulnerable to Hackers, Affecting Millions Worldwide

March 12th, 2015 Waqas Security 0 comments
WordPress SEO by Yoast’ Plugin Vulnerable to Hackers, Affecting Millions Worldwide
Share on FacebookShare on Twitter

A number of websites have been put at risk due to a very popular plugin of the WordPress content management platform vulnerability that allows hackers to attack the websites.

Actually, the fault lies in many of the versions of the WordPress Plugin called ‘WordPress SEO by Yoast’ that has over 14 million downloads thus making it the most well-known plugin of WordPress for conveniently optimizing websites for search engines – Search Engine Optimization.

Ryan Dewhurst is the person who has found out the vulnerability in WordPress SEO by Yoast. He is a developer of the WordPress vulnerability scanner ‘WPScan’. The advisory says that all versions before 1.7.3.3 of ‘WordPress SEO by Yoast’ are vulnerable to blind SQL injection web application flaws.

SQL injection (SQLi) vulnerabilities have been ranked at the top as they are very critical since they can allow a database to be breached thus revealing confidential data. Commonly in an SQLi attack, A malformed SQL query is inserted into an application through client-side input by an attacker.

How Yoast Vulnerability Works

Since the fault lies in the ‘admin/class-bulk-editor-list-table.php’ file, the outside attacker cannot prompt the vulnerability. The file can be accessed by the authority which is WordPress Admin, Editor or Author privileged users only.

This means that if the vulnerability is to be triggered, it can only be done through exploiting the authorized users only. These authorized users can actually be fooled into clicking a specially crafted payload exploitable URL – a kind of a social engineering trick.

The exploit could be allowed to execute random SQL queries on the victim’s WordPress website if the authorized user actually clicks the URL, explains Ryan to security blogger Graham Cluley. A proof-of-concept payload of Blind SQL Injection vulnerability in ‘WordPress SEO by Yoast’ was also released by Ryan.

http://victim-wordpress-website.com/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)&order=asc

Patch for Yoast SQLi Vulnerability

The latest version of WordPress SEO by Yoast (1.7.4) was known to be susceptible during the publication of the fault. However, the vulnerability seems to be fixed by Yoast developers as they upgraded the changelog some hours ago and that now mentions the latest version contains fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor.“

It is believed that a WordPress SEO site is not complete until you have installed the WordPress Yoast for SEO. For those who want to improve the search engine traffic of their websites through this plugin, they have a critical issue at hand due to this vulnerability.

Hence, it is recommended to WordPress administrators with a disabled Auto-update feature to upgrade the WordPress SEO by Yoast immediately or download the latest version from the WordPress plugin repository manually.

You can also enable fully automate the update of the plugins that you have from Manage > Plugins & Themes > Auto Updates tab if you have the WordPress 3.7 installed.

  • Tags
  • hacking
  • security
  • SEO Yoast Plugin
  • Vulnerability
  • Wordpress
Facebook Twitter Google+ LinkedIn Pinterest
Previous article 'Snowden Phone' by FreedomPop vows to encrypt your calls and data
Next article Cybercriminals Abusing Vulnerability in Google Apps to Send Phishing Emails
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism.

Related Posts
How safe is business data stored in third-party supplier websites?

How safe is business data stored in third-party supplier websites?

"The Smartest Lock Ever” KeyWe is Vulnerable to Hacking

"The Smartest Lock Ever” KeyWe is Vulnerable to Hacking

Plundervolt: A new attack on Intel processors threatening SGX data

Plundervolt: A new attack on Intel processors threatening SGX data

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

LATEST POSTS
How safe is business data stored in third-party supplier websites?
Security

How safe is business data stored in third-party supplier websites?

107
Popular forms of cybercrime you should be aware of
Cyber Crime

Popular forms of cybercrime you should be aware of

691
70% of the entire US population is now on Facebook
Technology News

70% of the entire US population is now on Facebook

367
Hundreds of counterfeit branded shoe stores hacked with web skimmer
Cyber Crime

Hundreds of counterfeit branded shoe stores hacked with web skimmer

347

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us