Menu
Over a million WordPress websites at risk because of flaw in popular SEO plug-in

Over a million WordPress websites at risk because of flaw in popular SEO plug-in

The vulnerability in a plug-in from Yoast exposes sites to SQL injection attacks

Over a million WordPress websites that use a popular plug-in to optimize their search engine results are at risk of being hacked if they don't apply a newly released patch.

The WordPress SEO plug-in developed by Dutch website optimization firm Yoast contains a vulnerability that allows attackers to manipulate a site's database and add rogue administrative accounts.

The so-called blind SQL injection vulnerability was discovered by Ryan Dewhurst, a security researcher and co-developer of the WPScan vulnerability scanner. The flaw affects versions 1.7.3.3 and older of WordPress SEO by Yoast.

In theory, exploiting the flaw requires authentication. However, since there is no cross-site request forgery (CSRF) protection, an attacker could exploit the flaw by tricking an authenticated user -- like an administrator, editor or author -- to click on a specially crafted link or to visit a malicious page, Dewhurst said in an advisory.

A CSRF attack involves forcing a user's browser to execute an unauthorized action on a third-party website when that user visits a Web page controlled by an attacker. Websites must implement special protection mechanisms to prevent such attacks.

Yoast addressed the flaw Wednesday by releasing version 1.7.4 of the free WordPress SEO plug-in and version 1.5.3 of the product's commercial variant, which was also affected.

The free WordPress SEO plug-in has been downloaded over 14.2 million times. According to official WordPress statistics, it has over 1 million active installations, making it not just one of the most popular plug-ins for search engine optimization (SEO), but one of the most popular WordPress plug-ins overall.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityonline safetypatchesAccess control and authenticationExploits / vulnerabilitiesYoast

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments