Security researcher Bassem Essam uncovered a critical cross-site scripting (XSS) vulnerability in the widely-used Yoast SEO WordPress plugin, potentially jeopardizing over 5 million websites.
XSS Vulnerability in Yoast SEO Plugin
Unauthenticated attackers can inject malicious scripts into WordPress pages through the plugin’s URL parameters. When an administrator opens the manipulated URL, the injected scripts run in their browser session.
This vulnerability could let attackers create unauthorized admin accounts, insert backdoors into theme and plugin files, redirect visitors to malicious sites, and take full control of the vulnerable WordPress site, as stated in the advisory.
To execute the attack, an administrator must be deceived into clicking a harmful link. Yoast has issued a fix in version 22.6 to rectify the security flaw.
All Yoast SEO users are strongly advised to update promptly. As per WordPress.org, the plugin is active on more than 5 million WordPress installations.
Wordfence, a web security company, has implemented firewall rules to shield its users from potential exploit attempts aimed at this vulnerability. Bassem Essam received a $563 bug bounty for discovering and reporting the flaw. Ram Gall, QA Engineer at Defiant, the company behind Wordfence, emphasized that this vulnerability underscores the importance of users adhering to security best practices, such as avoiding clicking on links from untrusted sources.
Given that Yoast SEO is the most widely used WordPress plugin for search engine optimization, this vulnerability carries significant weight. Therefore, website owners utilizing the plugin should promptly update to version 22.6 or later. Additionally, administrators are encouraged to thoroughly inspect their sites for any indications of suspicious activity.
The event highlights the critical need to maintain updated WordPress plugins and the valuable contribution of bug bounty programs in responsibly reporting vulnerabilities. Additional information regarding the flaw, including its discovery and resolution timeline, can be found on the Wordfence blog.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment