Yoast SEO Plugin XSS Flaw Exposes 5 Million+ WordPress Websites to Attack

A critical cross-site scripting (XSS) vulnerability has been discovered in the popular Yoast SEO WordPress plugin, potentially putting over 5 million websites at risk of compromise.

The flaw was found by security researcher Bassem Essam and reported via the Wordfence Bug Bounty Program.

The reflected XSS vulnerability exists in all Yoast SEO versions up to 22.5 due to insufficient input sanitization and output escaping.


Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

It allows unauthenticated attackers to inject malicious scripts into WordPress pages via the plugin’s URL parameters. When an administrator visits the crafted URL, the injected scripts execute in their browser session.

Successful exploitation could enable attackers to create rogue admin accounts, inject backdoors into theme and plugin files, redirect visitors to malicious sites, and gain complete control over the vulnerable WordPress site, reads the advisory.

The attack requires tricking an administrator into clicking a malicious link. Yoast has released a patched version, 22.6, to address the security hole.

All websites using Yoast SEO are urged to update immediately. According to WordPress.org, the plugin is active on over 5 million WordPress installations.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.

Web security company Wordfence has added firewall rules to protect its users against any exploit attempts targeting this flaw.

They awarded Bassem Essam a $563 bug bounty for reporting the vulnerability.

“This vulnerability requires users to click on a link to be successful, and is a reminder for site administrators and users to follow security best practices and avoid clicking on links from untrusted sources,” said Ram Gall, QA Engineer at Defiant, the company behind Wordfence.

Yoast SEO is the most popular WordPress plugin for search engine optimization, making this a particularly impactful vulnerability.

Website owners who use the plugin should update to version 22.6 or later as soon as possible.

Administrators are also advised to review their sites for any signs of suspicious activity.

The incident underscores the importance of keeping WordPress plugins updated and the key role bug bounty programs play in responsibly disclosing vulnerabilities.

More details on the flaw and a timeline of its discovery and patching are available on the Wordfence blog.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.