All versions of the popular WordPress SEO plugin Yoast prior to 188.8.131.52 are vulnerable to a blind SQL injection attack. In an advisory published Wednesday, Ryan Dewhurst, developer of the WordPress vulnerability scanner WPScan announced the flaw which he first noticed on Tuesday. This type of attack can lead to a database breach and possible exposure of confidential information.
The plugin has over a million downloads on WordPress. There are about 60 million WordPress installations worldwide making it easily the most used content management system.
Sites may be particularly vulnerable after an attack since the great majority of WordPress users don’t back up their sites. A study released this week by CodeGuard found that only about a quarter of WordPress users have a backup plugin that can be used to restore a site.
Fortunately, this exploit can only be launched from an authorized user account as an admin, editor or author. However, this type of information can be easily obtained through social engineering. A report released late February by Mandiant shows that hackers can use phishing attacks to gain this type of information leading to an account breach in as little as 30 minutes. A recent attack at Rogers was the result of social engineering. The risk of this attack is low since it would require a phishing attack in which the authorized admin, editor or author would have to open the bait URL and be logged in to the target site for the blind SQL injection to execute.
Yoast can be affected by two types of authenticated blind SQL injection vulnerabilities. The affected file is admin/class-bulk-editor-list-table.php. “The orderby and order GET parameters are not sufficiently sanitised before being used within a SQL query,” said the advisory. “The
following GET request will cause the SQL query to execute and sleep for 10 seconds if clicked on as an authenticated admin, editor or author user. http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulkeditor&type=title&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)&order=asc.”
The latest version of WordPress SEO by Yoast (1.7.4) by Yoast WordPress plugin developers patches the vulnerability. The change log says that latest version has “fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor.” The company responded with the the patch almost as quickly as the advisory was released.
This information was wrote by Cheryl Kemp