Hacker News reports that a vulnerability affecting millions of users has been found in industry leading WordPress plugin SEO by Yoast.
According to an advisory, all versions of SEO by Yoast prior to 18.104.22.168 are vulnerable to Blind SQL Injection web application flaw. This is considered a critical vulnerability due to the fact that it could seriously compromise your WordPress site.
Mohit Kumar of Hacker News explains how the vulnerability works:
“Basically in SQLi attack, an attacker inserts a malformed SQL query into an application via client-side input. However, in this scenario, an outside hacker can’t trigger this vulnerability itself because the flaw actually resides in the ‘admin/class-bulk-editor-list-table.php’ file, which is authorized to be accessed by WordPress Admin, Editor or Author privileged users only.
Therefore, in order to successfully exploit this vulnerability, it is required to trigger the exploit from authorized users only. This can be achieved with the help of social engineering, where an attacker can trick authorized user to click on a specially crafted payload exploitable URL.”
Trying to simplify that, what he means is an attacker could exploit this vulnerability by tricking WordPress admins into clicking on a link which would trigger the SQLi attack.
Once the attack has been carried out, the attacker could then add their own admin account to the vulnerable WordPress site and do whatever they want with it.
A key takeaway here is the fact that everyone who has SEO by Yoast installed is not going to be automatically affected by this. The attack can only be manually triggered by a WordPress admin, editor, or author who clicks on a dangerous link created by the attacker.
In addition, this is something that can easily fixed by updating your plugin to the latest version. The Yoast team promptly patched the exploit upon being notified, and the newest version (1.7.4) is said to fix the problem. The Premium version of the plugin has also been updated.
In the future, you can have plugin updates taken care of automatically by going to the Manage > Plugins & Themes > Auto Updates tab. If you don’t have the auto-update feature turned on, it’s strongly recommended that you update the SEO by Yoast plugin on all sites where you have it installed.