Well, it seems the crooks and thieves of the Internet have been at it again. Yet another vulnerability has been discovered in a WordPress plugin that has the potential to affect millions of people around the world. Unfortunately, the plugin is extremely popular and has been downloaded over 14 million times. The SEO by Yoast plugin has been found to be vulnerable to an SQL injection attack (SQLi) and is extremely problematic. This vulnerability has the potential to ruin your website.
What is SQL Injection?
Unless you are an internet security guru or SQL master, you may not understand what SQL injection attack is. An SQLi attack is an attempt made by a black hat hacker or person with malicious intent to destroy, disrupt or break a website or web component with a malformed query. The database is not able to correctly process the malformed query and breaks as a result.
However, the new SEO by Yoast security threat only exists in a file that is accessible by a user with administrator privileges. The “admin/class-bulk-editor-list-table.php” file is where the vulnerability is actually contained. At first glance, it may sound like the attack can only be made if a malicious hacker first gains administrator rights to your website. Unfortunately, this is not the case.
How the Attack is Carried Out
While an attacker that has escalated their privileges on a hacked website certainly could carry out this SQLi attack, there is a much easier way for attackers to exploit the vulnerability. All they need to do is to trick an administrator into making the invalid SQL query. They do this by deceiving an admin into clicking on a link that will trigger the injection attack. The link that the administrator follows will send a custom crafted payload that will give the attacker control over data contained in the database. This makes the attack procedure much simpler for the hacker because they do not need to gain administrator privileges in the first place.
Adverse Consequences of an Attack (Why You Should Care)
You might be asking yourself, “But what does the attack actually do to my website? How does it actually harm me?” The answer to this question really depends on what kind of data you have contained in your database. The results of an attack give the attacker the ability to access sensitive information contained SQL tables.
For example, let’s say you have an ecommerce store and one of your tables contains sensitive customer information and payment transactions. A successful attack will give the attacker visibility into your database and allow them to make changes such as inserts, updates, and deletes. They will be able to change the data, wipe it out completely, and create new bogus information. In short, they will have the ability to completely wreck your database. This is extremely worrisome, because an attacker could be allowed to view customer information, transaction balances, phone numbers, email addresses, and even banking information. If your website is compromised due to this vulnerability, you can suffer massive setbacks.
Code Versions that Contain the Flaw
The vulnerability can be found in every version of SEO by Yoast before update 18.104.22.168. Fortunately, there is already an update to the plugin that fixes the vulnerability. It is extremely easy to protect yourself from these types of risks on the Internet. The only thing you need to do is to make sure you constantly update your plugins and code versions to mitigate the risks of such an attack. Update 1.7.4 for the Yoast SEO plugin has fixed the code vulnerability. If you don’t understand how to keep your code properly updated, you will definitely want to hire an expert to maintain your website.
You May Still Be at Risk
Many intelligent website managers use a WordPress feature that automatically updates components of their website when a new code version, patch, or update is released. However, some people prefer to do this manually. If you are in the latter category, you need to check your version of this plugin as soon as possible. With all of the maintenance tasks it takes to run a website, it can be easy to forget to update a plugin. However, this one little mistake could cost your business time, money, and serious setbacks.
What Comes Next
You need to adopt the mentality that the Internet will never be completely secure. It simply grows and changes too fast for every security threat to be solved forever. There will be another code vulnerability or new attack procedure in the future. But when it comes, will you be prepared to face it? If you fail to keep your code updated you are leaving yourself open to a host of unnecessary risks. It is far easier to hire a qualified expert to maintain the safety of your website. One attack could harm your website or even present legal challenges. Don’t allow hackers to take advantage of you online. Do your due diligence a mitigate threats with adequate security and maintenance.