WordPress plugin used by millions sports critical site-hijacking flaw
Another popular Yoast WordPress plugin has been found sporting a critical vulnerability that can be exploited by attackers to take over control of the site.
A week ago it was the WordPress SEO plugin, which is actively used on more than a million of WP sites. This time it’s the company’s Google Analytics plugin, which has apparently been downloaded around 7 million times.
“Typically this can be used for arbitrary server-side code execution via the plugin or theme editors. Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target site,” he added.
He also provided PoC code for the exploitation, but only because the flaw has already been patched.
Yoast was notified about the flaw on Wednesday, and a new version of the plug-in (5.3.3) was released on Thursday. Needless to say, users are advised to update to it as soon as possible.
According to Yoast owner Joost de Valk, there has been no evidence that the flaw was exploited in the wild.
“The issue we fixed was another compound issue where an unauthenticated user could change the list of profiles in Google Analytics (he couldn’t change the active UA code, so he couldn’t impact your tracking directly),” he explained.