Over a million WordPress websites that use a popular plug-in to optimize their search engine results are at risk of being hacked if they don’t apply a newly released patch.
The WordPress SEO plug-in developed by Dutch website optimization firm Yoast contains a vulnerability that allows attackers to manipulate a site’s database and add rogue administrative accounts.
The so-called blind SQL injection vulnerability was discovered by Ryan Dewhurst, a security researcher and co-developer of the WPScan vulnerability scanner. The flaw affects versions 126.96.36.199 and older of WordPress SEO by Yoast.
In theory, exploiting the flaw requires authentication. However, since there is no cross-site request forgery (CSRF) protection, an attacker could exploit the flaw by tricking an authenticated user—like an administrator, editor or author—to click on a specially crafted link or to visit a malicious page, Dewhurst said in an advisory.
A CSRF attack involves forcing a user’s browser to execute an unauthorized action on a third-party website when that user visits a Web page controlled by an attacker. Websites must implement special protection mechanisms to prevent such attacks.
Yoast addressed the flaw Wednesday by releasing version 1.7.4 of the free WordPress SEO plug-in and version 1.5.3 of the product’s commercial variant, which was also affected.
The free WordPress SEO plug-in has been downloaded over 14.2 million times. According to official WordPress statistics, it has over 1 million active installations, making it not just one of the most popular plug-ins for search engine optimization (SEO), but one of the most popular WordPress plug-ins overall.