14 DAY TRIAL // Some versions of Yoast’s Google Analytics plug-in for monitoring traffic for WordPress websites are vulnerable to persistent XSS attacks that can allow an attacker to execute malicious PHP code on the server.
This can lead to changing passwords for administrator accounts or the creation of new profiles with elevated privileges on the targeted website.
An attack consists in malicious JavaScript being executed when an administrator launches the configuration panel of the plug-in.
Yoast’s Google Analytics for WordPress is a highly popular plug-in, with more than 1 million active users and thousands of daily downloads; the all-time number of downloads for the plug-in is upward of 8.3 million and its current average rating from users is 4.2 out of 5.
Improper data sanitization
Jouko Pynnönen from the Finnish IT firm Klikki Oy discovered the vulnerability and disclosed it responsibly to Yoast, triggering an update for the WordPress component that makes it safe from stored XSS attacks.
“The impact is a combination of two underlying problems,” he writes in a blog post, explaining that lack of access controls permits changing the configuration of the plug-in without previous authentication.
The outcome of this would be the possibility to connect the component with the Google Analytics account of an attacker by overwriting the OAuth2 credentials used to pull statistics from the real account.
“Secondly, the plug-in renders an HTML dropdown menu based on the data downloaded from Google Analytics. This data is not sanitized or HTML-escaped. If the said attacker enters HTML code such as tags in the properties in their Google Analytics account settings, it will appear in the WordPress administrative Dashboard of the targeted system and get executed whenever someone views the settings,” details Pynnönen.
Attacks in the wild could emerge, PoC available
In a security advisory on Thursday, Yoast marked the issue as not being severe but stated that it could be used in targeted attacks that require more effort to be carried out. The developers also mentioned that no attacks had been observed in the wild, but this could change.
Although the security flaws have been addressed the day following the submission of the vulnerability reports by releasing Yoast Google Analytics 5.3.3 and Premium build 1.2.2, many admins have yet to apply the update, making their website susceptible to attacks.
The risk is increased by the fact that attack instructions and proof-of-concept (PoC) code demonstrating the possibility to hijack the Google Analytics account have been created and are available without restriction.
Proof-of-concept video and explanations of the exploit method:
