FacebookTwitterLinkedIn

Vulnerability Found in Popular WordPress Plugin

A critical vulnerability has been discovered in one of the most popular WordPress plugins in use today. This plugin, known as WordPress SEO by Yoast, reports more than 14 million downloads (according to the Yoast website) – making it one of the most widely used plugins for WordPress. This means that tens of millions of websites around the world are at risk of being attacked by hackers looking to exploit this newly discovered vulnerability.

Ryan Dewhurst, developer of a WordPress vulnerability scanner known as WPScan, has been credited with discovering this threat which relies on a Blind SQL (Structured Query Language) Injection application flaw. According to the advisory issued by Dewhurst, all versions of WordPress SEO by Yoast prior to 1.7.3.3 are vulnerable to exploitation using this technique.

SQL Injection vulnerabilities are considered critical because they usually result in a database breach which could lead to compromised confidential information being leaked to the hackers behind the attack.

SQL injection attacks work due to improperly coded PHP scripts that allow attackers to intentionally insert malicious SQL queries into an application from the client-side Web browser. It is a common technique used by hackers looking to gain access to backend databases which may include sensitive personal and financial data for thousands, or even millions, of customers frequenting the compromised website. The Yoast vulnerability is slightly different because the flaw is found within the ‘admin/class-bulk-editor-list-table.php’ file. This file can only be accessed by WordPress users with Admin, Editor, or Author privileges. While this prevents hackers from simply targeting a website from the outside using this vulnerability, it is relatively simple to use social engineering techniques to gain access to an authorized account on the targeted website. This is especially true as many ‘Author’ accounts are held by freelance writers who may have no idea that they are being targeted by hackers.

WordPress SEO by Yoast plugin vulnerability

The most common way a hacker might use social engineering to gain access to one of these user accounts is by presenting a specially designed URL that can be exploited by the hackers without the knowledge of the victim.

Often, this URL would be delivered to the target via email. Dewhurst released a proof of concept URL along with the announcement of this vulnerability that demonstrates just how easy it is for hackers to gain access to a WordPress-powered site using an affected version of WordPress SEO by Yoast. The SQL injection code looks something like this:

"hxxp://victim-wordpress-website.com/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)&order=asc"

What makes this threat so dangerous is the sheer number of websites that rely on this plugin to improve search engine optimization features. In fact, it is such a popular tool for webmasters that many WordPress themes (both free and premium) include this plugin by default. And like so many other WordPress themes with known vulnerabilities, webmasters often fail to update these plugins until it is too late and a breach has already occurred. To avoid falling victim to this threat, WordPress administrators should immediately check which version of WordPress SEO by Yoast is currently installed and update the plugin if necessary. For websites using WordPress version 3.7 and above, it is also recommended that the Auto Update feature be activated to prevent issues like this from compromising the website in the future.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal