Update: Yoast on Thursday patched a cross-site scripting vulnerability in its Google Analytics WordPress plugin that was ripe for remote code execution.
The plugin has been downloaded 6.8 million times according to statistics on the Yoast website; Yoast said there have been no public exploits. The plugin monitors website traffic, providing site administrators with page view numbers and other trending data.
The vulnerability was disclosed Wednesday to Yoast by Finnish researcher Jouko Pynnonen and a patch was turned around in a day.
Pynnonen explained in an advisory posted to the Full Disclosure mailing list that an attacker can store malicious JavaScript or HTML in the WordPress Administrator Dashboard and that code could be triggered by merely viewing the Yoast plugin settings panel. All of this can be accomplished without authentication.
“This is possible because the developer has forgot to implement access checks and anyone can modify the settings,” Pynnonen told Threapost. “The attacker can connect the target website with their own Google Analytics account. Some of the data shown in the WordPress Dashboard comes via Google. Now the attacker would control that data, and can inject JavaScript in it.”
Yoast’s Joost de Valk said in a post on the company’s website that an attacker could change the list of profiles in Google Analytics, but could not change active code, and that website tracking would not be affected.
“This list of profiles could be made malicious because Google Analytics allows property names that have JavaScript code in them. At that point an admin visiting the settings page could suffer from a stored XSS attack because we didn’t properly escape the property names on output,” de Valk said. “This is not something a hacker could easily automate … but if someone wanted to seriously target your site, he could.”
Yoast advises users to update to version 5.3.3 of its free plugin; paid users of its Premium service should update to version 1.2.2.
Pynnonen said the plugin lacks access controls, which in turn allows a hacker to modify admin settings by overwriting the existing OAuth2 credentials which the plug-in uses for retrieving data from Google Analytics, which allows the attacker to connect the plug-in with the attacker’s Google Analytics account. The researcher said an HTML dropdown menu based on Google Analytics data which is not sanitized nor HTML escaped.
“If the said attacker enters HTML code such as script tags in the properties in their Google Analytics account settings, it will appear in the WordPress administrative Dashboard of the targeted system and get executed whenever someone views the settings,” Pynnonen said.
“Obviously, an anonymous person shouldn’t be able to change settings of your website. The plugin should check that the person modifying settings is logged on, and is an administrator – as it now does, after the patch,” Pynnonen said.
Pynnonen provided a proof-of-concept exploit along with vulnerability details.
“A real-world attack would probably use a src attribute to load a more sophisticated script from an external site,” Pynnonen said. “It could make chained ajax calls to load and submit administrative forms, including those of the plugin editor to write server-side PHP code, and finally execute it.
“The attacker gets administrative access (as long as some of the legitimate administrators view the Settings panel at some point),” Pynnonen said. “From this point pretty much everything is possible – they have full control on the website and can modify any of its content, e.g. deliver malware to people who view the website.”
This article was updated at 11:30 a.m. ET with comments from Jouko Pynnonen.