A critical vulnerability has been discovered in one of the most popular WordPress plugins in use today. This plugin, known as WordPress SEO by Yoast, reports more than 14 million downloads (according to the Yoast website) – making it one of the most widely used plugins for WordPress. This means that tens of millions of websites around the world are at risk of being attacked by hackers looking to exploit this newly discovered vulnerability.
Ryan Dewhurst, developer of a WordPress vulnerability scanner known as WPScan, has been credited with discovering this threat which relies on a Blind SQL (Structured Query Language) Injection application flaw. According to the advisory issued by Dewhurst, all versions of WordPress SEO by Yoast prior to 220.127.116.11 are vulnerable to exploitation using this technique.
SQL Injection vulnerabilities are considered critical because they usually result in a database breach which could lead to compromised confidential information being leaked to the hackers behind the attack.
SQL injection attacks work due to improperly coded PHP scripts that allow attackers to intentionally insert malicious SQL queries into an application from the client-side Web browser. It is a common technique used by hackers looking to gain access to backend databases which may include sensitive personal and financial data for thousands, or even millions, of customers frequenting the compromised website. The Yoast vulnerability is slightly different because the flaw is found within the ‘admin/class-bulk-editor-list-table.php’ file. This file can only be accessed by WordPress users with Admin, Editor, or Author privileges. While this prevents hackers from simply targeting a website from the outside using this vulnerability, it is relatively simple to use social engineering techniques to gain access to an authorized account on the targeted website. This is especially true as many ‘Author’ accounts are held by freelance writers who may have no idea that they are being targeted by hackers.
The most common way a hacker might use social engineering to gain access to one of these user accounts is by presenting a specially designed URL that can be exploited by the hackers without the knowledge of the victim.
Often, this URL would be delivered to the target via email. Dewhurst released a proof of concept URL along with the announcement of this vulnerability that demonstrates just how easy it is for hackers to gain access to a WordPress-powered site using an affected version of WordPress SEO by Yoast. The SQL injection code looks something like this:
What makes this threat so dangerous is the sheer number of websites that rely on this plugin to improve search engine optimization features. In fact, it is such a popular tool for webmasters that many WordPress themes (both free and premium) include this plugin by default. And like so many other WordPress themes with known vulnerabilities, webmasters often fail to update these plugins until it is too late and a breach has already occurred. To avoid falling victim to this threat, WordPress administrators should immediately check which version of WordPress SEO by Yoast is currently installed and update the plugin if necessary. For websites using WordPress version 3.7 and above, it is also recommended that the Auto Update feature be activated to prevent issues like this from compromising the website in the future.