How to Yoast WordPress SEO Plugin Makes Your Website Vulnerable!

According to a latest news, the popular Yoast SEO WordPress Plugin has a major vulnerability that makes a website susceptible to blind SQL injections. This is a very popular plugin that is used by over 14 million websites. Reportedly, all versions of SEO by Yoast prior to 1.7.3.3 are vulnerable to Blind SQL Injection web application flaw. This is an alarming news for those that use this plugin, because it could seriously compromise the data on their website.

In addition, this is something that can easily fixed by updating your plugin to the latest version. The Yoast team promptly patched the exploit upon being notified, and the newest version (1.7.4) is said to fix the problem. The Premium version of the plugin has also been updated.

Security fix: fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor. Added strict sanitation to order_by and order params. Added extra nonce checks on requests sending additional parameters. Minimal capability needed to access the bulk editor is now Editor. Thanks Ryan Dewhurst from WPScan for discovering and responsibly disclosing this issue.

In the future, you can have plugin updates taken care of automatically by going to the Manage > Plugins & Themes > Auto Updates tab. It is strongly recommended that you update all SEO and security plugins on your websites as soon as possible.

According to Mohit Kumar of Hacker News:

“Basically in SQLi attack, an attacker inserts a malformed SQL query into an application via client-side input. However, in this scenario, an outside hacker can’t trigger this vulnerability itself because the flaw actually resides in the ‘admin/class-bulk-editor-list-table.php’ file, which is authorized to be accessed by WordPress Admin, Editor or Author privileged users only. 

Therefore, in order to successfully exploit this vulnerability, it is required to trigger the exploit from authorized users only. This can be achieved with the help of social engineering, where an attacker can trick authorized user to click on a specially crafted payload exploitable URL.”

So in other words, WordPress admins can be tricked into clicking on links that would then trigger an SQLi attack. After the attack, the attacker could then add their own admin account to the vulnerable WordPress site and do whatever they want with it.

Everyone who has SEO by Yoast installed is not going to be automatically affected by this. The attack can only be manually triggered by a WordPress admin, editor, or author who clicks on a dangerous link created by the attacker.