Resultados 1 a 2 de 2
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    [EN] WordPress SEO plugin allows SQLi, site hijacking

    Another highly popular WordPress plugin has been found sporting a cross-site request forgery flaw that can be exploited to mount a blind SQL injection attack, and could also lead to an attacker gaining complete control of the site by adding his own administrative user to it.

    The WordPress SEO plugin developed by Yoast has been installed and is actively used on more than a million WordPress sites. As its name says, the plugin is used to improve the Search Engine Optimization of WordPress sites.

    "The one sentence explanation for the not so technical: by having a logged-in author, editor or admin visit a malformed URL a malicious hacker could change your database," Joost de Valk, the company's owner explained. "While this does not allow mass hacking of installs using this hole, it does allow direct targeting of a user on a website. This is a serious issue, which is why we immediately set to work to fix it when we were notified of the issue."

    The flaw has been found and responsibly disclosed to the Yoast team by Ryan Dewhurst of the WPScan team. More details about the vulnerability and exploit code can be found here.

    "Because of the severity of the issue, the team put out a forced automatic update," de Valk pointed out. Users who have disabled autoupdating are urged to update to versions 1.7.4, 1.6.4, and 1.5.7 (depending on which version they previously used.

    "If you’re using WordPress SEO Premium, you should immediately update to version 1.5.3," he concluded.

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Nov 2010
    A cada mês um plugin do WP tem uma novidade hehehe*• Revenda de Hospedagem Cloud Linux + WHMCS Grátis • Revenda de Hospedagem Linux Cpanel + CloudFlare • Hospedagem de Sites Cpanel + Construtor de Sites

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens