If you run the popular search engine optimization plugin Yoast SEO, you should check to make sure it’s the latest version. Because new reports have emerged indicating that outdated versions of Yoast SEO are vulnerable to a type of cyber attack known as a Blind SQL injection.
Yoast SEO is by far the most popular SEO plugin for WordPress, boasting more than 14 million downloads and counting. Of course, there’s a good reason for this: the free-to-use plugin features customizable post titles and meta descriptions, robots configuration, canonical URLs, breadcrumbs, permalinks, XML sitemap generator, RSS feed enhancement, head section cleanup, content analysis, remove code bloat, and more. But like many plugins, it’s also come under fire is a security risk.
Security experts say Yoast SEO (the prior versions) is vulnerable to Blind SQL injections, a vulnerability in which the hacker sends true/false questions to the server’s MySQL database and determines the answer from the response. As noted by Search Engine Land, this type of attack is frequently used on sites which are configured to show default error messages but has not fixed the problematic code.
Furthermore, Blind SQL injections can also be used to manually insert SQL code into the database, which is where the real problem lies. A hacker could potentially extract or insert malicious code via SQL injections. The hacker may set up the website to automatically redirect users to his or her website, or a hacker could install malware on the site, infecting anyone who visits it.
MySQL injections often go unnoticed by webmasters. A hacker may configure the database only to redirect users who originate from Google or other search engines, for instance. So when the webmaster visits the site, it appears reasonable. But when an actual visitor visits the site, he or she will be redirected to the hacker’s site.
“A remote unauthenticated attacker could use this vulnerability to execute arbitrary SQL queries on the victim WordPress website by enticing an authenticated admin, editor or author user to click on a specially crafted link or visit a page they control,” said Ryan Dewhurst of WPScan.org. “One possible attack scenario would be an attacker adding their administrative user to the target WordPress site, allowing them to compromise the entire web site.”
The good news is that Yoast has since identified and fixed the problem, patching the vulnerability in version 1.7.4. So if you have Yoast SEO plugin running on your WordPress site, check to make sure it’s updated.
Or Contact WebWize At 713-416-7111
Before making a final decision on a Web Design Company, spend a few minutes on the phone with us.
About Glenn Brooks
Glenn Brooks is the founder of WebWize, Inc. WebWize has provided web design, development, hosting, SEO and email services since 1994. Glenn graduated from SWTSU with a degree in Commercial Art and worked in the advertising, marketing, and printing industries for 18 years before starting WebWize.