Critical flaw in WordPress SEO plugin hits millions of sites

A blind SQL attack could result in the unauthorized access of a WordPress installation. Users on hosted versions have been patched automatically.

(Image: stock image)

A security flaw in a popular WordPress plugin has been patched, preventing hackers from potentially taking over an entire blog installation.

10 best privacy tools for staying secure online

A number of free and open-source projects exist solely to protect your identity and online activity. Here are just a few to make you more secure in the new year.

Read More

Yoast, the maker of the popular "wordpress-seo" plugin for the blogging platform, said it has patched a cross-site request forgery flaw that allowed a blind SQL attack. That could've allowed a hacker to modify the back-end database, which might have allowed the insertion of malware, adware, spam links, or other unwanted content.

The flaw required some work by a malicious actor, however. An authorized WordPress user would have had to be tricked into clicking a carefully-crafted link in order for a hacker to exploit the flaw.

Yoast credited Ryan Dewhurst with finding the flaw, who reported the vulnerability privately, preventing it from being exploited in the wild.

Dewhurst said: "One possible attack scenario would be an attacker adding their own administrative user to the target WordPress site, allowing them to compromise the entire web site."

The severity of the flaw resulted in a forced automatic update by, the blogging platform's hosted services.

Correction: the vulnerability was introduced in version 1.5, so users using an older version are not affected.