Yoast WordPress SEO Plugin Makes Your Website Vulnerable!

According to a latest news, the popular Yoast SEO WordPress Plugin has a major vulnerability that makes a website susceptible to blind SQL injections. This is a very popular plugin that is used by over 14 million websites. Reportedly, all versions of SEO by Yoast prior to 1.7.3.3 are vulnerable to Blind SQL Injection web application flaw. This is an alarming news for those that use this plugin, because it could seriously compromise the data on their website.
According to Mohit Kumar of Hacker News:
“Basically in SQLi attack, an attacker inserts a malformed SQL query into an application via client-side input. However, in this scenario, an outside hacker can’t trigger this vulnerability itself because the flaw actually resides in the ‘admin/class-bulk-editor-list-table.php’ file, which is authorized to be accessed by WordPress Admin, Editor or Author privileged users only. 
Therefore, in order to successfully exploit this vulnerability, it is required to trigger the exploit from authorized users only. This can be achieved with the help of social engineering, where an attacker can trick authorized user to click on a specially crafted payload exploitable URL.”
So in other words, WordPress admins can be tricked into clicking on links that would then trigger an SQLi attack. After the attack, the attacker could then add their own admin account to the vulnerable WordPress site and do whatever they want with it.

Everyone who has SEO by Yoast installed is not going to be automatically affected by this. The attack can only be manually triggered by a WordPress admin, editor, or author who clicks on a dangerous link created by the attacker.

In addition, this is something that can easily fixed by updating your plugin to the latest version. The Yoast team promptly patched the exploit upon being notified, and the newest version (1.7.4) is said to fix the problem. The Premium version of the plugin has also been updated.
Security fix: fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor. Added strict sanitation to order_by and order params. Added extra nonce checks on requests sending additional parameters. Minimal capability needed to access the bulk editor is now Editor. Thanks Ryan Dewhurst from WPScan for discovering and responsibly disclosing this issue.
In the future, you can have plugin updates taken care of automatically by going to the Manage > Plugins & Themes > Auto Updates tab. It is strongly recommended that you update all SEO and security plugins on your websites as soon as possible.

Stay safe!

If you don't want to get yourself into Serious Technical Trouble while editing your Blog Template then just sit back and relax and let us do the Job for you at a fairly reasonable cost. Submit your order details by Clicking Here »

4 comments

PLEASE NOTE:
We have Zero Tolerance to Spam. Chessy Comments and Comments with 'Links' will be deleted immediately upon our review.
  1. Thanks for informing man! I've updated the plugin to the latest version :)

    ReplyDelete
  2. Oh that could bring one of the big problems in a bloggers life if not alert about what's working n what's not. Thanx for informing.

    ReplyDelete
  3. Unfortunately I am not expert in web fixing issues, what should I do? Avoid Yoast?

    ReplyDelete
  4. Its Really Great Information Mohammad Sir.Thank You

    ReplyDelete