A perilous vulnerability has been found in the very popular plugin of the WordPress content management platform (CMS) putting about tens of Millions of websites at very high risks of hacking by the attackers.
The vulnerability is in almost all versions of a WordPress plugin which is called ‘WordPress SEO by Yoast’ As per Yoast Website, this plugin has more than fourteen million downloads which makes it one of the most famous plugins of WordPress to optimize websites for various search engines (Search engine optimization or SEO).
The person who discovered this vulnerability in WordPress SEO by Yoast is the developer of ‘WPScan’ (WordPress vulnerability scanner).
According to a published advisory the versions of WordPress SEO by Yoast before 188.8.131.52 are vulnerable to a web application flaw and this is known as ‘Blind SQL Injection’.
The SQLi (SQL injections) are known to be critical vulnerabilities they can lead to database breach and also to leakage of information that is confidential. Usually, in these attacks, a SQL query that is malformed is inserted into an application through client-side input.
How Does The Yoast Vulnerability Work?
However, in this case, the outside hacker cannot trigger the vulnerability itself because the flaw in actuality is located in a file that needs authorization for access and can be accessed only by Admin, Author or Editor and privileged users of WordPress. The file is ‘admin/class-bulk-editor-list-table.php‘
Thus, a trigger from authorized users is required for successful exploitation of this vulnerability. The attacker can make use of social engineering to trap the authorized users and make them click on a special URL that is payload exploitable.
As explained by Ryan to Graham Cluely (security blogger), if an authorized user of WordPress falls into the trap, the exploit will be allowed to carry execution of arbitrary SQL queries on the WordPress website of the victim.
A proof-of-concept payload was also released by Ryan for Blind SQLi vulnerability in the WordPress SEO by Yoast. This is as below:
http://victim-wordpress-website.com/wp-admin/admin.php?page=wpseo_bulk-editor& type=title&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)& order=asc
Patch for the Yoast SQL injection Vulnerability
If reports are to be believed, in the latest version 1.7.4 of WordPress SEO by Yoast, the vulnerability has been patched. The developers of WordPress plugin have done this and this is also mentioned in the changed log. It reads that latest version 1.7.4 has fixed “possible CSRF and blind SQL injection vulnerabilities in bulk editor.”
Normally, it is believed that your website is not seriously complete, if you don’t have the WordPress SEO by Yoast installed. The website owners aim at increasing the traffic of their website using this plugin and this vulnerability is really serious for them.
Thus, the administrators of WordPress that do not have an auto-update feature are highly recommended to upgrade their plugin (WordPress SEO by Yoast) manually as soon as possible. They should visit the WordPress plugin repository to manually download the latest version. If you have the WordPress version 3.7 or above, it is wise to enable the fully automated update of your plugins and themes. You can do this from the tab – Manage – Plugin and Themes – Auto Updates.