WordPress SEO and WooCommerce Plugins
- Website Security,
- WordPress,
- WooCommerce,
- Yoast
WordPress Plugin Security Issues Raise Their Ugly Heads Again
No time to rest on your laurels! Two of the biggest plugins in WordPress — WordPress SEO by Yoast and WooCommerce by WooThemes had security vulnerabilities and, more importantly, fixes announced, in the last week.
It's important that you update these two plugins as soon as possible - otherwise you run the risk of your website being hacked!
In both cases you should make a backup of your site BEFORE upgrading the plugins.
WordPress SEO plugin by Yoast
A blind SQL injection vulnerability was discovered by Ryan Dewhurst of the WPScan team who notified Yoast, the plugin developers.
The Yoast team immediately put out a patch with a security fix. For more information published by the Yoast team see: https://yoast.com/wordpress-seo-security-release/.
The Issue
v.1.7.3.3 was found to be affected by two authenticated (admin, editor or author user) blind SQL injection vulnerabilities within the 'admin/class-bulk-editor-list-table.php' file. The orderby and order GET parameters were not sufficiently sanitised before being used within a SQL query.
The Answer
Update to v.1.7.4 if your WordPress installation hasn't already automatically done this for you.
WooCommerce by WooThemes
Within a couple of days of the Yoast security issue, a security vulnerability was also found in the WooCommerce plugin v.2.3.5 and older versions, discovered by Matt Barry, from Wordfence.
The WooCommerce team reacted quickly and issued an update with a security fix.
The Issue
A SQL injection vulnerability was found in the admin panel. Within the Tax Settings page of WooCommerce, the key of the 'tax_rate_country' POST parameter is passed unescaped into a SQL insert statement. For example, a payload of tax_rate_country[(SELECT SLEEP(10))] would cause the MySQL server to sleep for 10 seconds. Because this vulnerability requires either a Shop Manager or Admin user account, it would need to be combined with an XSS attack in order to be exploited.
The Answer
Update to v.2.3.6 immediately.
Addendum
#1 On April 20, 2015 Sucuri published a list of other plugins that were also vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions.
- Jetpack
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- UpdraftPlus
- WP-E-Commerce
- WPTouch
- Download Monitor & Related Posts for WordPress
- My Calendar
- P3 Profiler
- Give
- Multiple iThemes products including Builder and Exchange
- Broken Link Checker
- Ninja Forms
Sucuri went on to say "there are probably more plugins that have not yet been found that have the same problem [they've only looked into the top 300 - 400 and others that were notable]".
add_query_arg() and remove_query_arg() are relatively common functions in advanced WordPress development so in all likelihood, many more plugins than those listed above are likely to have similar vulnerabilities.
#2 On October 2, 2015 Sucuri issued a security advisory: stored XSS in Akismet WordPress plugin and on October 13, 2015 Akismet issued a security patch.
If you use WordPress, we highly recommend that you go to your wp-admin dashboard and update any out of date plugins now (after doing a backup)!