Cisco Learning Network Store Promotions Page

3.13.2015

Critical flaw in WordPress SEO plugin hits millions of sites

Summary: A blind SQL attack could result in the unauthorized access of a WordPress installation. Users on hosted Wordpress.org versions have been patched automatically.
 

(Image: stock image)
A security flaw in a popular WordPress plugin has been patched, preventing hackers from potentially taking over an entire blog installation.
 
Yoast, the maker of the popular "wordpress-seo" plugin for the blogging platform, said it has patched a cross-site request forgery flaw that allowed a blind SQL attack. That could've allowed a hacker to modify the back-end database, which might have allowed the insertion of malware, adware, spam links, or other unwanted content.
 
The flaw required some work by a malicious actor, however. An authorized WordPress user would have had to be tricked into clicking a carefully-crafted link in order for a hacker to exploit the flaw.
 
Yoast credited Ryan Dewhurst with finding the flaw, who reported the vulnerability privately, preventing it from being exploited in the wild.
 
Dewhurst said: "One possible attack scenario would be an attacker adding their own administrative user to the target WordPress site, allowing them to compromise the entire web site."
 
The severity of the flaw resulted in a forced automatic update by WordPress.org, the blogging platform's hosted services.
 
Although version 1.5 and above have been patched, users on an older version of the plugin must manually update.
 
~ Zack Whittaker

Related Posts

0 comments: