Yet another major vulnerability has been discovered with a WordPress plugin popular with SEOs and webmasters.  And it is another Yoast plugin that is affected, this time the very popular Google Analytics by Yoast plugin.  This particular exploit used XSS in order to run malicious code.

Those who use this plugin by Yoast need to ensure they are running the latest version – 5.3.3, which was released on March 19, 2015, in order to be protected.  If you have your WordPress auto-update plugins, you should be running the current version, but it is always good practice to ensure the update processed correctly.  If you update plugins manually, you should update the plugin immediately.

5.3.3

Release Date: March 19th, 2015

• Several security fixes:
  1. Fix minor XSS issue where admins could XSS each other through an unescaped manual UA field.
  2. Fix stored XSS issue where changing a property’s name in Google Analytics to contain malicious JS would allow execution of that JS in the admin as the profile name was not escaped properly.
  3. Fix un-authenticated change of the GA profile list, allowing the previous XSS to become a slightly bigger issue. Issues 2 and 3 combined lead to a DREAD score of 5.

Big thanks to Jouko Pynnönen for responsibly disclosing security issues #2 and #3.

The popular plugin, which has over one million active installs, also has a premium paid version of the plugin along with the free one.  Both versions are affected by this exploit.

As with the other recent Yoast plugin to be affected by an exploit – SEO by Yoast – they fixed the vulnerability within one day of it being responsibly disclosed to Yoast, meaning those who use Yoast plugins were in little danger as long as they deploy WordPress plugin updates immediately.

No known cases of the exploit being used for nefarious reason had been reported by the time the fix went out, but as always, when a vulnerability is disclosed, many try to take advantage of those sites running outdated plugins that have not been recently updated.

There have been a rash of plugins popular with SEOs that have had vulnerabilities discovered recently.  In addition to the two Yoast plugins, Shareaholic, RevSlider and Fancybox-for-Wordpress have all recently fixed exploits.

Should webmasters be reluctant to use these plugins?  When it comes to any popular plugin, there are always those trying to find vulnerabilities to exploit.  Popular ones are often the targets because many are installed on abandoned or neglected blogs which tend to not get plugins updated as regularly.  And often the larger plugins have a team behind them that can turnaround immediate patches, which we have seen in the Yoast cases.  Instead, warning signs of a potentially bad plugin are plugins that haven’t been updated in quite some time and ones that don’t answer or resolve support threads over several months.

Bottom line, with all the WordPress vulnerabilities lately, you should not only take the time to update Google Analytics by Yoast, but update all the plugins you currently run.