All versions of the popular WordPress SEO plugin Yoast prior to 18.104.22.168 are vulnerable to a blind SQL injection attack. In an advisory published Wednesday, Ryan Dewhurst, developer of the WordPress vulnerability scanner WPScan announced the flaw which he first noticed on Tuesday. This type of attack can lead to a database breach and possible exposure of confidential information.
The plugin has over a million downloads on WordPress. There are about 60 million WordPress installations worldwide making it easily the most used content management system.
Sites may be particularly vulnerable after an attack since the great majority of WordPress users don’t back up their sites. A study released this week by CodeGuard found that only about a quarter of WordPress users have a backup plugin that can be used to restore a site.
Many service providers such as GoDaddy, Media Temple, Pressidium and Pagely offer managed WordPress hosting which can be an advantage in this type of situation. These services keep plugins up to date and the site backed up so the site owner doesn’t need to be responsible for regular maintenance.
Fortunately, this exploit can only be launched from an authorized user account as an admin, editor or author. However, this type of information can be easily obtained through social engineering. A report released late February by Mandiant shows that hackers can use phishing attacks to gain this type of information leading to an account breach in as little as 30 minutes. A recent attack at Rogers was the result of social engineering. The risk of this attack is low since it would require a phishing attack in which the authorized admin, editor or author would have to open the bait URL and be logged in to the target site for the blind SQL injection to execute.
Yoast can be affected by two types of authenticated blind SQL injection vulnerabilities. The affected file is admin/class-bulk-editor-list-table.php. “The orderby and order GET parameters are not sufficiently sanitised before being used within a SQL query,” said the advisory. “The
following GET request will cause the SQL query to execute and sleep for 10 seconds if clicked on as an authenticated admin, editor or author user. http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulkeditor&type=title&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)&order=asc.”
The latest version of WordPress SEO by Yoast (1.7.4) by Yoast WordPress plugin developers patches the vulnerability. The change log says that latest version has “fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor.” The company responded with the the patch almost as quickly as the advisory was released.
“We fixed a CSRF issue that allowed blind SQL injection. The one sentence explanation for the not so technical: by having a logged-in author, editor or admin visit a malformed URL a malicious hacker could change your database. While this does not allow mass hacking of installs using this hole, it does allow direct targeting of a user on a website,” explained the CEO of Yoast, Joost de Valk in a blog post. “This is a serious issue, which is why we immediately set to work to fix it when we were notified of the issue. Why we didn’t catch it? Well… Long story. It should have been caught in one of our regular security reviews. The values were escaped using esc_sql, which one would expect would prevent SQL injection. It does not. You’ll need far stricter sanitization. Not an excuse but it’s a good lesson to learn for other developers.”
de Valk also said in an email to the WHIR, “The forced auto-update from WordPress.org is a nice thing to be able to do at that point.” This type of situation underscores the importance of taking advantage of the WordPress fully automated updating of plugins and themes if the site is not using managed hosting. It can be accessed from Manage > Plugins & Themes > Auto Updates tab.