How To Resolve WordPress SEO Plugin SQL Injection Vulnerability

• July 29, 2015
• Leave a comment

SEO by Yoast is a popular search engine optimization plugin for WordPress. It has fixed a pair of blind SQL injection vulnerabilities that could have allowed an attacker to take complete control of the affected websites. It’s not known that how many WordPress sites have SEO by Yoast installed, but the maker of this popular plugin claims that it has been downloaded more than 14 million times.

Vulnerable versions of the service are susceptible to arbitrarily executed SQL queries in part because it lacks proper cross-site request forgery protections. If the attacker was able to trick an authenticated administrator, editor or author into following a link to a malicious page, the attacker could then create an admin role for himself and totally compromise affected sites.

Bug Detector:

Security tester first discovered the bug in SEO by Yoast version 1.7.3.3 on March 10, 2015. On the same day, WPScan WordPress vulnerability database confirmed the bug with a technical review and notified SEO by Yoast. The plugin’s developer then confirmed the bug’s existence and released version 1.7.4 of the product by resolving the security vulnerability on March 11, 2015.

Solution:

The blind SQL injection issues are said to have existed in the plugin’s admin or class-bulk-editor-list-table.php file, in which ‘orderby’ and ‘GET’ parameters are not properly sanitized before initiating SQL queries.

According to WPScan Plugin, WordPress own esc_sql() function could not prevent SQL injections from SEO by Yoast when the ‘GET orderby’ parameter had some value assigned to it. In a proof-of-concept, User sent a special ‘GET’ request, if it might be clicked by authenticated users then it could cause SQL queries to execute and sleep for 10 seconds.