SEO by Yoast, a popular search engine optimization plug-in for WordPress, has fixed a pair of blind SQL injection vulnerabilities that could have allowed an attacker to take complete control of affected sites.
It’s not clear how many WordPress sites have SEO by Yoast installed, but the maker of the popular plugin claims it has been downloaded more than 14 million times.
Vulnerable versions of the service are susceptible to arbitrarily executed SQL queries, in part because it lacks proper cross-site request forgery protections. If the attacker were able to trick an authenticated administrator, editor or author into following a link to a malicious page, the attacker could then create an admin role for himself and totally compromise affected sites.
Freelance security tester, Ryan Dewhurst, first discovered the bug in SEO by Yoast version 18.104.22.168 on March 10. That same day, Christian Mehlmauer of the WPScan WordPress vulnerability database confirmed the bug with a technical review and notified SEO by Yoast. The plugin’s developer then confirmed the bug’s existence and released version 1.7.4 of the product, resolving the security vulnerability on March 11.
The blind SQL injection issues are said to have existed in the plugin’s ‘admin/class-bulk-editor-list-table.php’ file, in which ‘orderby’ and ‘GET’ perimeters are not properly sanitized before initiating SQL queries.
According to WPScan, WordPress’s own ‘esc_sql()’ function could not prevent SQL injections from SEO by Yoast when the GET orderby perameter had some value assigned to it.
In a proof-of-concept, Dewhurst sent a special GET request that, if clicked on by authenticated users, caused SQL queries to execute and sleep for 10 seconds.
To its credit, SEO by Yoast was fast to fix the problem. Users of the plugin should update to the latest version.