A vulnerability that could potentially allow an attacker to execute SQL commands on WordPress sites has been discovered in the popular Yoast SEO plugin. An update to fix the exploit has been pushed to WordPress sites that have automatic updates turned on, but if you’re still using an older version of the plugin, you should update immediately. Versions older than 1.5 are not vulnerable, but that’s seriously out of date and if you can update to the newest version you should. Oddly, this plugin uses different version numbers for its free and premium offering; we’re using the free plugin version numbers in this post. If you’re a premium user, take a look at Yoast’s post on the topic.
Yoast’s SEO plugin is one of the most popular plugins in the WordPress repository and is installed on many millions of WordPress sites.
The vulnerability is caused by a poorly-sanitized input that can be used by a hacker to have their own SQL run by WordPress sites. That could allow an attacker to create a new admin user, and after that, the site is essentially theirs.
The SEO plugin vulnerability isn’t as bad as some we’ve seen in the past few months, in that it doesn’t allow just anyone to run remote code. In order to get the site to run code, you have to be logged in. That would seem to reduce most of the risk, but it does leave a gap that can be exploited by an attacker using a cross-site request forgery (CSRF), an attack with some similarities to cross-site scripting attacks, but that relies on a WordPress site trusting a user, rather than on a user trusting a site.
CSRF attacks work by influencing someone the site trusts to click on a link on another site — it’s often done by simple social engineering techniques. When someone who is logged in on a WordPress site that is vulnerable clicks the link that contains code crafted to do whatever the attacker wants, the site has no idea that it is not a reasonable request from an administrator.
The typical way to avoid these attacks is to sanitize input, and that’s where Yoast’s developers made a mistake. They trusted WordPress’ esc_sql’ function, which didn’t sufficiently sanitize the input.
It’s more than likely that your WordPress site has already been updated via an automatic update — something that has put the cat amongst the pigeons somewhat, but that made sure most WordPress sites were protected. This plugin is hugely popular and any vulnerability is good news for hackers and bad news for WordPress users. But, if you’ve turned off automatic updates, you will have to manually update to the most recent version.