Friday, 6 May 2016

Vulnerability in Yoast SEO 3.2.4 for WordPress


The team of Wordfence discovered a vulnerability in Yoast SEO version 3.2.4 and earlier that allows any user with ‘subscriber’ level access to download your Yoast SEO settings. For sites that have open registration, this means that anyone can register and download your Yoast SEO settings by simply creating an account and running the exploit.
Wordfence reported this vulnerability to Yoast Tuesday May 3rd and their team has released a fix today, Friday May 6th. We recommend that you upgrade immediately if you are using Yoast SEO. This vulnerability is fixed in Yoast SEO version 3.2.5.

Details of the Vulnerability

Yoast SEO plugin has a Sensitive Data Exposure vulnerability. Plugin registers the following AJAX actions:
  • wpseo_export
  • get_focus_keyword_usage
  • get_term_keyword_usage
These actions are privileged therefore are available only to registered users, but no special capabilities are required to perform them. Any user with a valid account to the target website can exploit those actions to get information about Yoast SEO settings and post metadata relative to focus and terms keywords.

This kind of information should be available only to users with administrative capabilities. To be more precise, to users that have the manage_options capability, because the plugin’s option pages require this capability by default.

Source: Wordfence Blog