Security flaw in WordPress plugin Google Analytics by Yoast exposed

The plugin's security problem could be exploited to allow remote attackers to conduct arbitrary server-side code execution.
Written by Charlie Osborne, Contributing Writer
A security flaw in the popular Wordpress plugin Google Analytics by Yoast allows hackers to execute arbitrary code and take over administrator accounts.

Revealed on Thursday by Finnish security researcher Jouko Pynnonen on Full Disclosure, the plugin's security issue allows an unauthenticated attacker to store arbitrary HTML, including JavaScript, in the WordPress administrator's Dashboard on the target system -- and which is triggered when an admin views the plugin's settings panel.

This could allow for arbitrary server-side code execution through the plugin or Wordpress theme editors. In addition, Pynnonen says an attacker could change admin passwords, create their own accounts or take over a website through the security flaw.

Downloaded almost seven million times, Google Analytics by Yoast is a popular plugin which integrates Google's Analytics services into a Wordpress site, and also adds additional functions including error page tracking, outbound click rates and downloads. Yoast is available in free and premium versions.

The security flaw stems from two issues. First of all, there is missing access control procedures which may allow an unauthenticated user to tweak plugin settings -- and it is possible to override existing OAuth2 credentials used by the plugin to pull data from Google Analytics by connecting the plugin with an attacker's separate Google Analytics account.

Secondly, the plugin renders an HTML menu based on this data, which is not sanitized or sandboxed. If an attacker chooses to add script tags in the properties in their Google Analytics account settings, it will appear in the compromised Wordpress admin dashboard -- and be executed once a user views the settings page.

A proof-of-concept example is shown below.


The reauth link would have to be clicked on by the attacker, which resets plugin settings and allows the hacker to grab an authentication code from the Google OAuth system. The attacker then needs to copy and paste the code -- and without authentication -- the plugin would then account swap and pull its data from the attacker's account. The payload is then entered in the hacker's Google Analytics account.

Yoast was notified on March 18, and the company responded by rapidly deploying a new version of the plugin, 5.3.3, the next day. If you use the plugin and have not visited your website to grab this update, it is recommended you do so now.

Read on: In the world of security

Read on: Fixes and Flaws

Editorial standards