A security flaw in a popular WordPress plugin has been patched, preventing hackers from potentially taking over an entire blog installation.
Yoast, the maker of the popular "wordpress-seo" plugin for the blogging platform, said it has patched a cross-site request forgery flaw that allowed a blind SQL attack. That could've allowed a hacker to modify the back-end database, which might have allowed the insertion of malware, adware, spam links, or other unwanted content.
The flaw required some work by a malicious actor, however. An authorized WordPress user would have had to be tricked into clicking a carefully-crafted link in order for a hacker to exploit the flaw.
Yoast credited Ryan Dewhurst with finding the flaw, who reported the vulnerability privately, preventing it from being exploited in the wild.
Dewhurst said: "One possible attack scenario would be an attacker adding their own administrative user to the target WordPress site, allowing them to compromise the entire web site."
The severity of the flaw resulted in a forced automatic update by WordPress.org, the blogging platform's hosted services.
Correction: the vulnerability was introduced in version 1.5, so users using an older version are not affected.