Menu
Over a million WordPress websites at risk because of flaw in popular SEO plug-in

Over a million WordPress websites at risk because of flaw in popular SEO plug-in

The vulnerability in a plug-in from Yoast exposes sites to SQL injection attacks

Over a million WordPress websites that use a popular plug-in to optimize their search engine results are at risk of being hacked if they don't apply a newly released patch.

The WordPress SEO plug-in developed by Dutch website optimization firm Yoast contains a vulnerability that allows attackers to manipulate a site's database and add rogue administrative accounts.

The so-called blind SQL injection vulnerability was discovered by Ryan Dewhurst, a security researcher and co-developer of the WPScan vulnerability scanner. The flaw affects versions 1.7.3.3 and older of WordPress SEO by Yoast.

In theory, exploiting the flaw requires authentication. However, since there is no cross-site request forgery (CSRF) protection, an attacker could exploit the flaw by tricking an authenticated user -- like an administrator, editor or author -- to click on a specially crafted link or to visit a malicious page, Dewhurst said in an advisory.

A CSRF attack involves forcing a user's browser to execute an unauthorized action on a third-party website when that user visits a Web page controlled by an attacker. Websites must implement special protection mechanisms to prevent such attacks.

Yoast addressed the flaw Wednesday by releasing version 1.7.4 of the free WordPress SEO plug-in and version 1.5.3 of the product's commercial variant, which was also affected.

The free WordPress SEO plug-in has been downloaded over 14.2 million times. According to official WordPress statistics, it has over 1 million active installations, making it not just one of the most popular plug-ins for search engine optimization (SEO), but one of the most popular WordPress plug-ins overall.


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags patchesonline safetysecurityAccess control and authenticationYoastExploits / vulnerabilities

Featured

Slideshows

Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Tech industry comes together as Lexel celebrates turning 30

Tech industry comes together as Lexel celebrates turning 30

Leading figures within the technology industry across New Zealand came together to celebrate 30 years of success for Lexel Systems, at a milestone birthday occasion at St Matthews in the City.​

Tech industry comes together as Lexel celebrates turning 30
HP re-imagines education through Auckland event launch

HP re-imagines education through Auckland event launch

HP New Zealand held an inaugural Evolve Education event at Aotea Centre in Auckland, welcoming over 70 principals, teachers and education experts to explore ways of shaping and enhancing learning using technology.

HP re-imagines education through Auckland event launch
Show Comments