Over a million WordPress websites that use a popular plug-in to optimize their search engine results are at risk of being hacked if they don’t apply a newly released patch.
The WordPress SEO plug-in developed by Dutch website optimization firm Yoast contains a vulnerability that allows attackers to manipulate a site’s database and add rogue administrative accounts.
The so-called blind SQL injection vulnerability was discovered by Ryan Dewhurst, a security researcher and co-developer of the WPScan vulnerability scanner. The flaw affects versions 18.104.22.168 and older of WordPress SEO by Yoast.
In theory, exploiting the flaw requires authentication. However, since there is no cross-site request forgery (CSRF) protection, an attacker could exploit the flaw by tricking an authenticated user — like an administrator, editor or author — to click on a specially crafted link or to visit a malicious page, Dewhurst said in an advisory.