What WordPress’s “wordpress-seo” Hackability Teaches Us About Plugin Safety
- April 7, 2015
- Leave a comment
By now, you’ve likely heard the news:”wordpress-seo” does a little more than just optimize for search engines. That optimization extends to hackers as well.
It wasn’t until recently that the popular plugin’s fatal security flaws began to rear their heads. The plugin’s makers, Yoast, have since provided a patch to protect users from the hole that had previously left them unknowingly vulnerable to a full blog takeover. According to professional sources on the matter, it also had the potential to allow the site’s to be broken into and implanted with malicious content that could have tracked any and all information and movement.
Though we don’t often hear stories this egregious in the news, it’s likely that Yoast’s “wordpress-seo” isn’t the only plugin of its kind with vulnerabilities. What situations such as this truly teach us about net safety is that there is no such thing when it comes to one-size-fits-all plugins. Without any semblance of customization, let alone a steady team heavily invested and dedicated to a particular project, these generic plugins are left to fend for themselves, at your expense.
Critical flaw, not so critical eye
The plugin’s maker said of the critical flaw,
We fixed a CSRF issue that allowed blind SQL injection. The one sentence explanation for the not so technical: by having a logged-in author, editor or admin visit a malformed URL a malicious hacker could change your database. While this does not allow mass hacking of installs using this hole, it does allow direct targeting of a user on a website. This is a serious issue, which is why we immediately set to work to fix it when we were notified of the issue. Why we didn’t catch it? Well… Long story. It should have been caught in one of our regular security reviews. The values were escaped using
esc_sql, which one would expect would prevent SQL injection. It does not. You’ll need far stricter sanitization. Not an excuse but it’s a good lesson to learn for other developers.
The fact is that when there’s no inspiration or particularly strong incentive to put more focus on “regular security reviews,” major issues like this are bound to arise.
So while, as developers, we feel for the Yoast team, we encourage our clients to mass-plugin at their own risk.