The WordPress SEO by Yoast plugin is used by millions of WordPress websites which want to be found on the internet. The WordPress SEO by Yoast plugin is a free search engine optimilisation plugin which holds various tips and methods to increase the ranking of WordPress websites.
Now it seems that the WordPress SEO by Yoast plugin has a critical vulnerability in its code. The vulnerability which is found in the ‘admin/class-bulk-editor-list-table.php’ file allows cybercriminals and hackers to perform SQL injection attacks. The SQL injection attack would allow the cybercriminal or the hacker to gain access to classified and personal information which is stored on the WordPress database.
The cybercriminals and hackers are only to perform this attack when they already have access to the WordPress website. It is also possible for the cybercriminals to send a malicious link to website developer or administrator. The link would allow the hackers to gain direct access to the WordPress website.
The link would look like this:
As you can see in the example above, the link contains SQL command values. This attack is classified as an Blind SQL injection attack. If the website administrator would click on this link while being logged in, the SQL command would be executed. Now imagine what would happen if the SQL command would hold the DELETE ALL command.
WordPress SEO by Yoast
Now there is no reason to stop using the WordPress SEO by Yoast plugin. The latest version of the plugin has been patched against the SQL injection attack. It is important to update the WordPress SEO by Yoast to the latest version if you have it running on your WordPress website.
Cybercriminals and hackers
The cybercriminals and hackers are always on the lure for such type of vulnerabilities. These type of vulnerabilities allow them to infect thousands or even millions of websites with automated codes which perform malicious requests and uploads.
It is possible that the cybercriminals will use this vulnerability to exploit WordPress administrators via forged emails or messages.