WordPress plugin used by millions sports critical site-hijacking flaw
Another popular Yoast WordPress plugin has been found sporting a critical vulnerability that can be exploited by attackers to take over control of the site.
A week ago it was the WordPress SEO plugin, which is actively used on more than a million of WP sites. This time it’s the company’s Google Analytics plugin, which has apparently been downloaded around 7 million times.
According to the researcher who discovered the issue, Jouko Pynn?¶nen of Finland-based Klikki Oy, the vulnerability “allows an unauthenticated attacker to store arbitrary HTML, including JavaScript, in the WordPress administrator’s Dashboard on the target system. The JavaScript will be triggered when an administrator views the plug-in’s settings panel. No further user interaction is required.”
“Typically this can be used for arbitrary server-side code execution via the plugin or theme editors. Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target site,” he added.
He also provided PoC code for the exploitation, but only because the flaw has already been patched.
Yoast was notified about the flaw on Wednesday, and a new version of the plug-in (5.3.3) was released on Thursday. Needless to say, users are advised to update to it as soon as possible.
According to Yoast owner Joost de Valk, there has been no evidence that the flaw was exploited in the wild.
“The issue we fixed was another compound issue where an unauthenticated user could change the list of profiles in Google Analytics (he couldn’t change the active UA code, so he couldn’t impact your tracking directly),” he explained.
“This list of profiles could be made malicious because Google Analytics allows property names that have JavaScript code in them. At that point an admin visiting the settings page could suffer from a stored XSS attack because we didn’t properly escape the property names on output. This is not something a hacker could easily automate, hence the low DREAD score, but if someone wanted to seriously target your site, he could.”