Yoast WordPress SEO Plugin Vulnerable To Hackers

Posted on

The Yoast WordPress SEO Plugin that is used by over 14 million WordPress blogs on the web has reportedly been open to an exploit where hackers can do a Blind SQL injection.

SQL Injection vulnerability Yoast SEO plugin
SQL Injection vulnerability Yoast SEO plugin

A Blind SQL Injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

It can be used to insert an SQL query into the database to either extract data, modify data or delete data. It is often used to insert unwanted or unauthorized affiliate, spam links, or malware/adware on sites.

If you are on WordPress, there is a good chance you are using this Yoast plugin. To fix the issue, upgrade to version 1.7.4 immediately. This version is documented to be a security fix based on what Ryan Dewhurst found during a security scan. The security fix says:
Security fix: fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor. Added strict sanitation to order_by and order params. Added extra nonce checks on requests sending additional parameters. Minimal capability needed to access the bulk editor is now Editor. Thanks Ryan Dewhurst from WPScan for discovering and responsibly disclosing this issue.

Source:http://searchengineland.com/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s