According to a Hacker News report, popular WordPress plugin ‘SEO by Yoast’ is susceptible to hackers. The ‘SEO by Yoast’ plugin developed by WordPress to enable developers make website more searchable is extremely popular and used by millions.
The vulnerability in the ‘SEO by Yoast’ plugin has the potential of affecting millions – websites and their users. According to an advisory, all versions of ‘SEO by Yoast’ prior to 18.104.22.168 are vulnerable to the ‘Blind SQL Injection web application flaw’, and can cause seriously damages to a WordPress site.
This vulnerability can’t be triggered directly by a hacker. The flaw actually resides in the ‘admin/class-bulk-editor-list-table.php’ file, which is authorized to be accessed by privileged users such as the WordPress Admin, Editor or Author only. Hackers can trick these users into clicking on a link through social engineering which triggers the SQLi attack.
Once inside the system, the attackers can create their own admin account within the WordPress site and act as desired – send out harmful links to the site’s customers/subscribers, steal customer data, or even take the site down.
In the plugin’s defense, not everyone who uses it is going to be automatically affected as the attack can only be triggered by a WordPress Admin, Editor, or Author by clicking on a malicious link manually.
The good news is that the vulnerability has been patched in both the general and premium flavors of the latest ‘SEO by Yoast’ version (1.7.4). Those using older versions may simply update to this latest version and ensure website integrity.
This is a cue for all WordPress administrators who’ve disabled the ‘Auto-update’ feature to upgrade their ‘SEO by Yoast’ plugin at the soonest or manually download the latest version from WordPress plugin repository. Those who have installed WordPress 3.7 version and above can enable fully automated updating of their plugins and themes by navigating to:
Manage > Plugins & Themes > Auto Updates tab