Emil Sayegh

Mar 13, 2015

Protect Your WordPress Install Against “Yoast” SQL Injection

If you’re using a version of the popular WordPress SEO plugin Yoast prior to, you and your site are vulnerable to a blind SQL injection attack.

What damage can the vulnerability cause?

The issue with Yoast can lead to a database breach and exposure of confidential information.

“The orderby and order GET parameters are not sufficiently sanitised before being used within a SQL query.” Read the full security advisory here. A particular GET request causes the SQL query to execute and sleep for 10 seconds if clicked on as an authenticated admin, editor or author user.

What can I do to protect myself, my site and my customers?

  • If you’re running Yoast, upgrade to the latest version (1.7.4) to patch the vulnerability.
  • Regularly back up your site to prevent irreparable damage from an attack.
  • Make sure you use WordPress’s automated updating of plugins and themes, which can be enabled in the Manage > Plugins & Themes > Auto Updates tab.
  • Avoid WordPress plugins that don’t allow for auto-updating. Plugins that don’t allow auto-updating are at a greater risk for being attack targets, and can easily take down your site if you don’t actively update them.

WordPress’s Problem With SQL Injections

WordPress powers more than 20 percent of all sites on the internet, making it far and away the most popular content management system — and one of the biggest targets for attacks.

SQL injections have been a particularly bad issue for WordPress site owners. SQL injections allow attackers to run malicious code and manipulate SQL queries, possibly extracting data or manipulating site content.

Yoast’s CEO Joost de Valk said this vulnerability should have been caught in a regular security review, but it was unusual because the values were escaped using esc_sql, which you’d think should prevent SQL injection, but it does not. de Valk said this vulnerability proves WordPress sites “need far stricter sanitization” and that it’s “a good lesson to learn for other developers.” Read Yoast’s explanation in his own words here.

Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedIn