Update: Yoast on Thursday patched a cross-site scripting vulnerability in its Google Analytics WordPress plugin that was ripe for remote code execution.
The plugin has been downloaded 6.8 million times according to statistics on the Yoast website; Yoast said there have been no public exploits. The plugin monitors website traffic, providing site administrators with page view numbers and other trending data.
The vulnerability was disclosed Wednesday to Yoast by Finnish researcher Jouko Pynnonen and a patch was turned around in a day.
Yoast’s Joost de Valk said in a post on the company’s website that an attacker could change the list of profiles in Google Analytics, but could not change active code, and that website tracking would not be affected.
Yoast advises users to update to version 5.3.3 of its free plugin; paid users of its Premium service should update to version 1.2.2.
Pynnonen said the plugin lacks access controls, which in turn allows a hacker to modify admin settings by overwriting the existing OAuth2 credentials which the plug-in uses for retrieving data from Google Analytics, which allows the attacker to connect the plug-in with the attacker’s Google Analytics account. The researcher said an HTML dropdown menu based on Google Analytics data which is not sanitized nor HTML escaped.
“If the said attacker enters HTML code such as script tags in the properties in their Google Analytics account settings, it will appear in the WordPress administrative Dashboard of the targeted system and get executed whenever someone views the settings,” Pynnonen said.
“Obviously, an anonymous person shouldn’t be able to change settings of your website. The plugin should check that the person modifying settings is logged on, and is an administrator – as it now does, after the patch,” Pynnonen said.
Pynnonen provided a proof-of-concept exploit along with vulnerability details.
“A real-world attack would probably use a src attribute to load a more sophisticated script from an external site,” Pynnonen said. “It could make chained ajax calls to load and submit administrative forms, including those of the plugin editor to write server-side PHP code, and finally execute it.
“The attacker gets administrative access (as long as some of the legitimate administrators view the Settings panel at some point),” Pynnonen said. “From this point pretty much everything is possible – they have full control on the website and can modify any of its content, e.g. deliver malware to people who view the website.”
This article was updated at 11:30 a.m. ET with comments from Jouko Pynnonen.