Vulnerability in Yoast SEO 3.2.4 for WordPress. Severity 5.3 (Medium)
Update on May 11th: As per Joost’s (Yoast founder) request (see comments below), we have gone ahead and modified the title of this post to reflect the CVSS score of the vulnerability. We announced yesterday that we are standardizing on CVSS as our vulnerability severity metric which removes any subjectivity and creates a standardized way of calculating vulnerabilities. The vulnerability score for this issue is 5.3 (Medium). I should also add that the temporal and environmental scores are slightly lower at 4.3 (also Medium). I have added some more detail on the comments below.
One of our security researchers, Panagiotis Vagenas, discovered a vulnerability in Yoast SEO version 3.2.4 and earlier that allows any user with ‘subscriber’ level access to download your Yoast SEO settings. For sites that have open registration, this means that anyone can register and download your Yoast SEO settings by simply creating an account and running the exploit.
We reported this vulnerability to Yoast Tuesday May 3rd and their team has released a fix today, Friday May 6th. We recommend that you upgrade immediately if you are using Yoast SEO. This vulnerability is fixed in Yoast SEO version 3.2.5.
If you are using Wordfence Premium, you have been protected against this vulnerability being exploited from the moment we notified the plugin author which was on Tuesday. We released a firewall rule via the Threat Defense Feed on Tuesday that is already protecting your site. This is per our standard disclosure procedure. See below for details.
Details of the Vulnerability
Yoast SEO plugin has a Sensitive Data Exposure vulnerability. Plugin registers the following AJAX actions:
These actions are privileged therefore are available only to registered users, but no special capabilities are required to perform them. Any user with a valid account to the target website can exploit those actions to get information about Yoast SEO settings and post metadata relative to focus and terms keywords.
This kind of information should be available only to users with administrative capabilities. To be more precise, to users that have the manage_options capability, because the plugin’s option pages require this capability by default.
We will not be releasing an exploit proof of concept at this stage but we shared a PoC with the Yoast team on Tuesday to help them confirm and fix the vulnerability.
Wordfence Standard Disclosure Procedure
At Wordfence the security of our customers and the greater WordPress community is of paramount importance to us. With this in mind we have developed standard disclosure procedures when we discover a vulnerability that are as follows:
- One of our research team discovers a vulnerability and shares it with the rest of the team who verifies the vulnerability.
- We develop a Firewall rule to protect our customers. This rule is obfuscated to prevent reverse engineering.
- We notify the vendor and simultaneously release a firewall rule to protect our premium customers via the Threat Defense Feed. Customer sites are updated immediately with the rule and no customer action is required.
- Vendor releases a fix, usually after several days and we announce the existence of the vulnerability at the same time to encourage the community to upgrade.
- Wordfence community (free) customers receive the firewall rule 30 days after the initial release to Premium customers.
- At a future date we may release a PoC so that other firewall providers can create rules to protect their customers too.