Last week, the news of a critical flaw in the famous WordPress SEO by Yoast plugin, used for optimizing a website, took the woo town by storm.
It was reported that the plugin contains a vulnerability allowing hackers to manipulate a site’s database and add crook admin accounts. Security researcher and co-developer of the WPScan vulnerability scanner, Ryan Dewhurst, was the first person to detect this fault. He found that blind SQL injection vulnerability is attacking versions 18.104.22.168 and older of WordPress SEO by Yoast.
In an advisory, Dewhurst said:
“As there is no anti-CSRF protection a remote unauthenticated attacker could use this vulnerability to execute arbitrary SQL queries on the victim WordPress website by enticing an authenticated admin, editor or author user to click on a specially crafted link or visit a page they control.
One possible attack scenario would be an attacker adding their own administrative user to the target WordPress site, allowing them to compromise the entire website.”
To simplify Dewhurst’s point above, owing to the absence of cross-site request forgery (CSRF) protection, it is easier for an attacker to take advantage of this flaw by tricking an authenticated user – an Admin, author or editor – to visit a malicious link. Such attacks force the user’s browser to carry out an unauthorized action on a third-party website when the former visits a page manipulated by a hacker.
Yoast quickly addressed the flaw
The plugin author, Yoast, was quick to address the flaw. He immediately released v1.7.4 of the free plugin and v1.5.3 for its premium counterpart, which was also impacted. The vulnerability was found in v1.5 of the plugin, so websites using the older versions of the same were safe. The flaw was immediately patched, preventing these cybers crooks from further damaging millions of websites using WordPress SEO by Yoast.
In his blog, Yoast also answered how they missed the flaw, as the question was raised by many:
Long story. It should have been caught in one of our regular security reviews. The values were escaped using esc_sql, which one would expect would prevent SQL injection. It does not. You’ll need far stricter sanitization. Not an excuse but it’s a good lesson to learn for other developers.
Yoast also accredited Ryan Dewhurst for finding out this foible in the plugin and, of course, for waiting for the team to release a fixed version before taking the issue to the public. The extremity of the fault prompted WordPress.org to opt for a forced automatic update.
For those who are new to WordPress, the WordPress Seo by Yoast is one of the most downloaded plugins in the WordPress plugin directory. It’s a killer plugin, available in free as well as premium versions, used for optimizing a website on search engines. At the time of writing this update, stats show that the plugin has been downloaded over 14.2 million times (14, 202, 540 times, to be precise)!
Image Source: cdn.appthemes.com