Search the Community

Title: WordPress SEO by Yoast <= 1.7.3.3 - Blind SQL Injection Version/s Tested: 1.7.3.3 Patched Version: 1.7.4 CVSSv2 Base Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C) CVSSv2 Temporal Score: 7 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C) WPVULNDB: https://wpvulndb.com/vulnerabilities/7841 Description: WordPress SEO by Yoast is a popular WordPress plugin (wordpress-seo) used to improve the Search Engine Optimization (SEO) of WordPress sites. The latest version at the time of writing (1.7.3.3) has been found to be affected by two authenticated (admin, editor or author user) Blind SQL Injection vulnerabilities. The plugin has more than one million downloads according to WordPress. Technical Description: The authenticated Blind SQL Injection vulnerability can be found within the 'admin/class-bulk-editor-list-table.php' file. The orderby and order GET parameters are not sufficiently sanitised before being used within a SQL query. Line 529: $orderby = ! empty( $_GET['orderby'] ) ? esc_sql( sanitize_text_field( $_GET['orderby'] ) ) : 'post_title'; Line 533: order = esc_sql( strtoupper( sanitize_text_field( $_GET['order'] ) ) ); If the GET orderby parameter value is not empty it will pass its value through WordPess's own esc_sql() function. According to WordPress this function 'Prepares a string for use as an SQL query. A glorified addslashes() that works with arrays.'. However, this is not sufficient to prevent SQL Injection as can be seen from our Proof of Concept. Proof of Concept (PoC): The following GET request will cause the SQL query to execute and sleep for 10 seconds if clicked on as an authenticated admin, editor or author user. http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)&order=asc Using SQLMap: python sqlmap.py -u " http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date*&order=asc" --batch --technique=B --dbms=MySQL --cookie="wordpress_9d...; wordpress_logged_in_9dee67...;" Impact: As there is no anti-CSRF protection a remote unauthenticated attacker could use this vulnerability to execute arbitrary SQL queries on the victim WordPress web site by enticing an authenticated admin, editor or author user to click on a specially crafted link or visit a page they control. One possible attack scenario would be an attacker adding their own administrative user to the target WordPress site, allowing them to compromise the entire web site. Timeline: March 10th 2015 - 15:30 GMT: Vulnerability discovered by Ryan Dewhurst (WPScan Team - Dewhurst Security). March 10th 2015 - 18:30 GMT: Technical review by FireFart (WPScan Team). March 10th 2015 - 20:00 GMT: Vendor contacted via email. March 10th 2015 - 21:25 GMT: Vendor replies, confirms issue and gave expected patch timeline. March 11th 2015 - 12:05 GMT: Vendor released version 1.7.4 which patches this issue. March 11th 2015 - 12:30 GMT: Advisory released. Source

A critical vulnerability has been discovered in the most popular plugin of the WordPress content management platform (CMS) that puts tens of Millions of websites at risks of being hacked by the attackers. The vulnerability actually resides in most versions of a WordPress plugin known as ‘WordPress SEO by Yoast,’ which has more than 14 Million downloads according to Yoast website, making it one of the most popular plugins of WordPress for easily optimizing websites for search engines i.e Search engine optimization (SEO). The vulnerability in WordPress SEO by Yoast has been discovered by Ryan Dewhurst, developer of the WordPress vulnerability scanner ‘WPScan’. All the versions prior to 1.7.3.3 of ‘WordPress SEO by Yoast’ are vulnerable to Blind SQL Injection web application flaw, according to an advisory published today. SQL injection (SQLi) vulnerabilities are ranked as critical one because it could cause a database breach and lead to confidential information leakage. Basically in SQLi attack, an attacker inserts a malformed SQL query into an application via client-side input. HOW YOAST VULNERABILITY WORKS However, in this scenario, an outside hacker can’t trigger this vulnerability itself because the flaw actually resides in the 'admin/class-bulk-editor-list-table.php' file, which is authorized to be accessed by WordPress Admin, Editor or Author privileged users only. Therefore, in order to successfully exploit this vulnerability, it is required to trigger the exploit from authorized users only. This can be achieved with the help of social engineering, where an attacker can trick authorized user to click on a specially crafted payload exploitable URL. If the authorized WordPress user falls victim to the attack, this could allow the exploit to execute arbitrary SQL queries on the victim WordPress web site, Ryan explained to security blogger Graham Cluley. Ryan also released a proof-of-concept payload of Blind SQL Injection vulnerability in ‘WordPress SEO by Yoast’, which is as follows: http://victim-wordpress-website.com/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)&order=asc PATCH FOR YOAST SQLi VULNERABILITY However, the vulnerability has reportedly been patched in the latest version of WordPress SEO by Yoast (1.7.4) by Yoast WordPress plugin developers, and change log mentions that latest version has "fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor." Generally, it has been believed that if you have not installed WordPress Yoast for SEO, then your WordPress website is seriously incomplete. The vulnerability is really serious for website owners who wish to increase their search engine traffic by using this plugin. Therefore, WordPress administrators with disabled Auto-update feature are recommended to upgrade their WordPress SEO by Yoast plugin as soon as possible or they can manually download the latest version from WordPress plugin repository. If you have installed WordPress 3.7 version and above, then you can enable fully automate updating of your plugins and themes from Manage > Plugins & Themes > Auto Updates tab.

Stored XSS Vulnerability in Google Analytics by Yoast Wordpress Plugin . contents:: Table Of Content Overview Title :Stored XSS Vulnerability in Google Analytics by Yoast Wordpress Plugin Author: Kaustubh G. Padwad, Rohit Kumar. Plugin Homepage: https://yoast.com/wordpress/plugins/google-analytics/ Severity: Medium Version Affected: Version 5.3.2 and mostly prior to it Version Tested : Version 5.3.2 version patched: Description Vulnerable Parameter Current UA-Profile Manually enter your UA code Label for those links Set path for internal links to track as outbound links: Subdomain tracking: Extensions of files to track as downloads: About Vulnerability This plugin is vulnerable to a Stored Cross Site Scripting vulnerability,This issue was exploited when administrator users with access to "Google Analytics by Yoast" Setting in wordpress above listed vulnerable parameter is vulnerable for stored XSS. A malicious administration can hijack other users session, take control of another administrator's browser or install malware on their computer. Vulnerability Class Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) Steps to Reproduce: (POC) After installing the plugin Goto settings --> Google Analytics by Yoast Input this payload in "Manually enter your UA code" :- v style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x Click on the Save Changes button and navigate your cursor to input box,you will see XSS in action Reload the page or re navigate to page to make sure its stored Mitigation https://github.com/Yoast/google-analytics-for-wordpress/pull/322/commits Change Log https://github.com/Yoast/google-analytics-for-wordpress/pull/322/commits Disclosure 22-February-2015 Reported to developer 25-February-2015 Fixed by developer 05-March-2015 Issue Closed with team. 06-March-2015 Public Discloser credits Kaustubh Padwad & Rohit Kumar Information Security Researcher kingkaustubh@me.com & kumarrohit2255@gmail.com @s3curityb3ast,@rkumars3c [url]http://breakthesec.com[/url] [url]https://www.linkedin.com/in/kaustubhpadwad[/url] Source