Hacker News reports that a vulnerability affecting millions of users has been found in industry leading WordPress plugin SEO by Yoast. According to an advisory, all versions of SEO by Yoast prior to 1.7.3.3 are vulnerable to Blind SQL Injection web application flaw. This is considered a critical vulnerability due to the fact that it could seriously compromise your WordPress site.
The vulnerability in WordPress SEO by Yoast has been discovered by Ryan Dewhurst, developer of the WordPress vulnerability scanner ‘WPScan’. All the versions prior to 1.7.3.3 of ‘WordPress SEO by Yoast’ are vulnerable to Blind SQL Injection web application flaw, according to an advisory published today.
Ryan also released a proof-of-concept payload of Blind SQL Injection vulnerability in ‘WordPress SEO by Yoast’, which is as follows:
http://victim-wordpress-website.com/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)&order=asc
PATCH FOR YOAST SQLi VULNERABILITY
However, the vulnerability has reportedly been patched in the latest version of WordPress SEO by Yoast (1.7.4) by Yoast WordPress plugin developers, and change log mentions that latest version has "fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor."
If you have installed WordPress 3.7 version and above, then you can enable fully automate updating of your plugins and themes from Manage > Plugins & Themes > Auto Updates tab.
For More Visit Us @ WPEMY
For More Visit Us @ WPEMY
Already Patch My WordPress Network and Client too
ReplyDeleteThanks for sharing this Information
Packed full of features and easy to use, providing every WordPress user with a simple way to improve their search ranking! Fake Comment Creator word press plugin
ReplyDelete