A number of websites have been put at risk due to a very popular plugin of the WordPress content management platform vulnerability that allows hackers to attack the websites.
Actually, the fault lies in many of the versions of the WordPress Plugin called ‘WordPress SEO by Yoast’ that has over 14 million downloads thus making it the most well-known plugin of WordPress for conveniently optimizing websites for search engines – Search Engine Optimization.
Ryan Dewhurst is the person who has found out the vulnerability in WordPress SEO by Yoast. He is a developer of the WordPress vulnerability scanner ‘WPScan’. The advisory says that all versions before 1.7.3.3 of ‘WordPress SEO by Yoast’ are vulnerable to blind SQL injection web application flaws.
SQL injection (SQLi) vulnerabilities have been ranked at the top as they are very critical since they can allow a database to be breached thus revealing confidential data. Commonly in an SQLi attack, A malformed SQL query is inserted into an application through client-side input by an attacker.
How Yoast Vulnerability Works
Since the fault lies in the ‘admin/class-bulk-editor-list-table.php’ file, the outside attacker cannot prompt the vulnerability. The file can be accessed by the authority which is WordPress Admin, Editor or Author privileged users only.
This means that if the vulnerability is to be triggered, it can only be done through exploiting the authorized users only. These authorized users can actually be fooled into clicking a specially crafted payload exploitable URL – a kind of a social engineering trick.
The exploit could be allowed to execute random SQL queries on the victim’s WordPress website if the authorized user actually clicks the URL, explains Ryan to security blogger Graham Cluley. A proof-of-concept payload of Blind SQL Injection vulnerability in ‘WordPress SEO by Yoast’ was also released by Ryan.
http://victim-wordpress-website.com/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)&order=asc
Patch for Yoast SQLi Vulnerability
The latest version of WordPress SEO by Yoast (1.7.4) was known to be susceptible during the publication of the fault. However, the vulnerability seems to be fixed by Yoast developers as they upgraded the changelog some hours ago and that now mentions the latest version contains fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor.“
It is believed that a WordPress SEO site is not complete until you have installed the WordPress Yoast for SEO. For those who want to improve the search engine traffic of their websites through this plugin, they have a critical issue at hand due to this vulnerability.
Hence, it is recommended to WordPress administrators with a disabled Auto-update feature to upgrade the WordPress SEO by Yoast immediately or download the latest version from the WordPress plugin repository manually.
You can also enable fully automate the update of the plugins that you have from Manage > Plugins & Themes > Auto Updates tab if you have the WordPress 3.7 installed.
