This past Wednesday, Yoast, makers of one of the most popular WordPress plugins, WordPress SEO by Yoast, disclosed a blind SQL injection vulnerability against authenticated users given a successful cross site request forgery (CSRF) attack.
What is blind SQL injection and CSRF, how can the WordPress SEO vulnerability affect your site, and what should you do about it?
Don’t worry, SiteLock will help with everything.
SQL injection occurs when a bad actor is able to inject database code into a web form input and execute commands on the website. Generally, the data submitted through web forms is sanitized to prevent this type of injection from occurring.
The original exploit, responsibly disclosed by the WPScan security team, is an authenticated, blind SQL injection vulnerability in WordPress SEO’s admin/class-bulk-editor-list-table.php file where visitor controlled input was not, despite good coding practices, properly sanitized from malicious input. Meaning, a bad guy could manipulate the URL and affect the target database without real-time feedback (that’s the blind part).
Here’s where the authenticated part comes in. A CSRF attack is launched if an authenticated user somehow triggers a script created by an attacker.
For the SQL injection exploit to work, a WordPress admin, editor, or author must be logged in and essentially tricked to click a link which triggers another, malicious action on the logged in site that the legitimate, logged in user did not intend. An example would be convincing an authenticated site admin to click a link which resets the admin password. Tricky indeed.
Put together, the WordPress SEO SQL injection vulnerability leverages cross site request forgery to allow an attacker to make changes to the victim WordPress database. So, find a vulnerable version of WordPress SEO, trick an authenticated user to click a link, and run database command or commands to achieve a nefarious goal.
If you run the WordPress SEO by Yoast plugin on your site, update immediately. Patched versions for 1.5, 1.6, and 1.7 are 1.5.7, 1.6.4, and 1.7.4 respectively. If you’re not running those versions, again, upgrade immediately. Premium users are urged to follow the upgrade instructions at http://kb.yoast.com/article/34-how-can-i-update-my-premium-plugin.
With SiteLock on your side and your website, you’re already protected from the SQL injection vulnerability on multiple fronts. The SiteLock TrueShield web application firewall stops SQL injection attacks before they reach your site. SiteLock SMART and penetration testing scanners find and remove malware automatically if by some chance malware gets on your site. Finally, SiteLock TrueCode can perform deep code analysis to catch vulnerabilities in your codebase before it’s deployed.
Keep your WordPress install, plugins, and themes up-to-date, and visit the SiteLock Blog for the latest, essential security news.