Yoast SEO PLugin Vunerable to Bling SQL Injection: Update Immediately

 In News

WordPress SEO by Yoast is one of the most popular SEO plugins on the market with over 1 million active installs. Unfortunately yesterday WPScanVulnerability identified a security issue with it and issued the following statement

The latest version at the time of writing (1.7.3.3) has been found to be affected by two authenticated (admin, editor or author user) Blind SQL Injection vulnerabilities.

The authenticated Blind SQL Injection vulnerability can be found within the ‘admin/class-bulk-editor-list-table.php’ file. The orderby and order GET parameters are not sufficiently sanitized before being used within a SQL query.

Yoast was quick to respond with a patch and released version 1.7.4 with the following security fix:

Fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor. Added strict sanitation to order_by and order params. Added extra nonce checks on requests sending additional parameters. Minimal capability needed to access the bulk editor is now Editor. Thanks Ryan Dewhurst from WPScan for discovering and responsibly disclosing this issue.

SQL injections are a serious cause for concern with WordPress sites and can effectively allow a hacker to take control of your site. So we highly recommend anyone using this plugin to update it.

All clients using this plugin have already been updated

James
I am the director of Dolphin Promotions, a full service web design and marketing company based in Blackpool, UK.
Recommended Posts
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Start typing and press Enter to search