March 17, 2015
The Yoast vulnerability and How to fix it
Search Engine Optimization has become the most effective way to promote business. Any commercial website must rank among the top 10 search results generated by Google or other search engines.
In order to achieve this, various new applications and plugins are being used. WordPress SEO is one such plugin.
Ever since it has been launched, this particular plugin has brought a revolution to the SEO services arena. Millions of websites from all over the world are using this plugin, and the services and results it provides.
However, a serious flaw has been discovered in this plugin which is being developed by Yoast. This flaw has made all websites vulnerable to hackers and their safety is being threatened.
Yoast Vulnerability – A Serious Threat to Website’s Security
There has been a latest addition which makes millions of websites vulnerable to hackers. A crucial vulnerability has been traced in one of the most popular plug-ins of the WordPress Content Management platform.
The vulnerability can be found in almost all the versions of the WordPress plug-in, which is known as WordPress SEO by Yoast. According to Yoast, this particular plug-in has been downloaded for more than 20 million times! What has made this plug-in so popular? Well, this plug-in can be used for optimizing websites. It helps in Search Engine Optimization. Though, it proved to be quite efficient and effective; however, the Yoast vulnerability has posed serious doubts on it.
Who discovered it?
The Yoast vulnerability was discovered by one of the developers of WPScan; which is Word Press Vulnerability Scanner. His name is Ryan Dewhurst.
The vulnerability has been commented on across the internet by security researchers and developers.
What is the Issue?
Essentially in SQL Injection attack, attackers insert a deformed SQL query inside an application through client-side input. In this particular scenario; however, a hacker from the outside cannot set off this vulnerability. It is because the fault in fact lies in the the code used by the plugin itself.
So, in order to utilise this vulnerability successfully, the exploit needs to be triggered by an authorised user. The hackers take help of social engineering to achieve this. This is how they do it
- They can track an authorised user
- They trick the user to click on an exploitable URL, which is specially crafted.
What this essentially means is that a hacker can make use of this vulnerability by making the admins of WordPress click on a link. The moment they click on the link, the SQL injection attack would be triggered.
How to fix the problem?
In today’s world, social engineering combined with cheap web hosting means there are an estimated 30 million websites affected. This needs to be fixed… NOW
So, what needs to be done? The WordPress Admins who have the auto-update features disabled are advised to upgrade the WordPress SEO by Yoast plug-in as quickly as possible. Besides, they also have the option of downloading the most recent version from WordPress website.
If you are using WordPress 3.7 or above, then you have the option of enabling the fully automated feature of your themes and plug-ins.
Given the volume of risk factor associated and the fact that most of the websites currently use WordPress SEO, it is absolutely necessary for you to follow these simple steps in order to keep your website safe from millions of hackers who are waiting to exploit this vulnerability.
The simple solution as usual is to keep things up to date. Subscribe to mailing lists for the plugins and other software you use. Keep up to date !
We offer a full turn key website management service including patch management.
Get in touch now to see how we can help.
This Post was first posted 16/03/2015 @ 20:34