Critical hole in popular WordPress SEO plugin allows SQLi, site hijacking

Another highly popular WordPress plugin has been found sporting a cross-site request forgery flaw that can be exploited to mount a blind SQL injection attack, and could also lead to an attacker gaining complete control of the site by adding his own administrative user to it.

The WordPress SEO plugin developed by Yoast has been installed and is actively used on more than a million WordPress sites. As its name says, the plugin is used to improve the Search Engine Optimization of WordPress sites.

“The one sentence explanation for the not so technical: by having a logged-in author, editor or admin visit a malformed URL a malicious hacker could change your database,” Joost de Valk, the company’s owner explained. “While this does not allow mass hacking of installs using this hole, it does allow direct targeting of a user on a website. This is a serious issue, which is why we immediately set to work to fix it when we were notified of the issue.”

The flaw has been found and responsibly disclosed to the Yoast team by Ryan Dewhurst of the WPScan team. More details about the vulnerability and exploit code can be found here.

“Because of the severity of the issue, the WordPress.org team put out a forced automatic update,” de Valk pointed out. Users who have disabled autoupdating are urged to update to versions 1.7.4, 1.6.4, and 1.5.7 (depending on which version they previously used.

“If you’re using WordPress SEO Premium, you should immediately update to version 1.5.3,” he concluded.