This entry was posted in Vulnerabilities, WordPress Security on May 6, 2016 by Mark Maunder 10 Replies

Update on May 11th: As per Joost’s (Yoast founder) request (see comments below), we have gone ahead and modified the title of this post to reflect the CVSS score of the vulnerability. We announced yesterday that we are standardizing on CVSS as our vulnerability severity metric which removes any subjectivity and creates a standardized way of calculating vulnerabilities. The vulnerability score for this issue is 5.3 (Medium). I should also add that the temporal and environmental scores are slightly lower at 4.3 (also Medium). I have added some more detail on the comments below.

One of our security researchers, Panagiotis Vagenas, discovered a vulnerability in Yoast SEO version 3.2.4 and earlier that allows any user with ‘subscriber’ level access to download your Yoast SEO settings. For sites that have open registration, this means that anyone can register and download your Yoast SEO settings by simply creating an account and running the exploit.

We reported this vulnerability to Yoast Tuesday May 3rd and their team has released a fix today, Friday May 6th. We recommend that you upgrade immediately if you are using Yoast SEO. This vulnerability is fixed in Yoast SEO version 3.2.5.

If you are using Wordfence Premium, you have been protected against this vulnerability being exploited from the moment we notified the plugin author which was on Tuesday. We released a firewall rule via the Threat Defense Feed on Tuesday that is already protecting your site. This is per our standard disclosure procedure. See below for details.

Details of the Vulnerability

Yoast SEO plugin has a Sensitive Data Exposure vulnerability. Plugin registers the following AJAX actions:

wpseo_export

get_focus_keyword_usage

get_term_keyword_usage

These actions are privileged therefore are available only to registered users, but no special capabilities are required to perform them. Any user with a valid account to the target website can exploit those actions to get information about Yoast SEO settings and post metadata relative to focus and terms keywords.

This kind of information should be available only to users with administrative capabilities. To be more precise, to users that have the manage_options capability, because the plugin’s option pages require this capability by default.

We will not be releasing an exploit proof of concept at this stage but we shared a PoC with the Yoast team on Tuesday to help them confirm and fix the vulnerability.

Wordfence Standard Disclosure Procedure

At Wordfence the security of our customers and the greater WordPress community is of paramount importance to us. With this in mind we have developed standard disclosure procedures when we discover a vulnerability that are as follows: