Critical Vulnerability in WordPress SEO Plugin
A critical vulnerability has been discovered in the WordPress SEO Plugin by the WPScan team and announced over at WPVulnDB. The attack is classified as a Blind SQL Injection vulnerability and if successfully executed could allow the attacker to modify the database and create their own admin user – once the admin is compromised in many cases they can build out the attack from there and your site is wide open.
Possible Impact
The scope for this one is huge – the plugin has over a million downloads on the WordPress Plugin directory at time of writing so there is no shortage of sites out there using the plugin. The attack could allow for creation of an admin user and modification of the database so really opens the door for the attacker to do whatever they see fit.
Likely we will see a whole host of black hat SEO attacks where sites will be used as part of a link network or have additional content inserted to promote pharma sites, sell fake Ugg boots or distribute further malware.
The damage to sites can involve loss of customer data, loss of traffic, damage to visibility in search results and a loss of a credibility with prospects and customers due to visible infection and malware distribution. Clean up for compromised sites without a back up can also be more problematic as the hacker will have full administrative access to the site and can create a range of backdoors to reinfect the site after clean up of this specific vulnerability.
The plugin is a favourite in the SEO community so if you run WordPress and have a savvy SEO firm you may well find that WordPress SEO is installed. Certainly, it is our SEO plugin of choice over at our sister company Bowler Hat.
Identification
You will want to check the source code of your site and look for the following line (or similar):
<!-- This site is optimized with the Yoast WordPress SEO plugin v1.7.4 - https://yoast.com/wordpress/plugins/seo/ -->
If you are not running 1.5.4, 1.6.4 or 1.7.4 you have likely got a problem. If you are unsure and would like a friendly set of eyes to take a look get in touch and we will confirm and advise on your next steps. We offer a completely free WordPress security audit so any doubts at all get in touch and we can put your mind to rest.
Solution
The Vendor (the venerable Yoast) was notified and has patched the vulnerability so in most cases protecting your site from this is as simple as backing up your WordPress installation and updating the WordPress SEO plugin. Additionally WordPress.org has pushed out an update for sites using 1.5, 1.6 and 1.7 so they should all be updated to a secure version but you will want to manually review and ensure you are using the latest version and any sites using a version prior to 1.5 needs to update urgently.
Is your site wearing wArmour?
All wArmour users will see their site backed up and updated the moment the new version of the plugin is released and our firewall and hardening will protect the site in the interim. If you are concerned your site has been compromised get in touch and we can offer a one time clean up or ongoing maintenance to ensure you get secure and can concentrate on running your business.
References & Further Reading:
https://wpvulndb.com/vulnerabilities/7841
https://yoast.com/wordpress-seo-security-release/