Yoast SEO WordPress Plugin is Susceptible to Hackers
Millions of sites built on WordPress are at risk of being hacked with the use of a Blind SQL Injection, as a result of a security hole in the widely used SEO plugin by Yoast. An update has been made to the plugin to combat against this vulnerability – make sure you update your plugin to the latest version (1.7.4) if you use the Yoast plugin.
What Is a Blind SQL Injection?
This type of attach asks a series of true or false questions and then determines the answer based on the response from the application. Ultimately an SQL query is inserted into the database with the goal of either extracting, modifying, or deleting data, and it can be used to insert unauthorised spam or affiliate links, or malware onto the website.
The new version of the Yoast SEO plugin is supposed to have fixed the vulnerability:
Security fix: fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor. Added strict sanitation to order_by and order params. Added extra nonce checks on requests sending additional parameters. Minimal capability needed to access the bulk editor is now Editor. Thanks Ryan Dewhurst from WPScan for discovering and responsibly disclosing this issue.