Security flaw in WordPress plugin Google Analytics by Yoast exposed
A security flaw in the popular WordPress plugin Google Analytics by Yoast allows hackers to execute arbitrary code and take over administrator accounts. Revealed on Thursday by Finnish security researcher Jouko Pynnonen on Full Disclosure, the plugin’s security issue allows an unauthenticated attacker to store arbitrary HTML, including JavaScript, in the WordPress administrator’s Dashboard on the target system — and which is triggered when an admin views the plugin’s settings panel.
This could allow for arbitrary server-side code execution through the plugin or WordPress theme editors. In addition, Pynnonen says an attacker could change admin passwords, create their own accounts or take over a website through the security flaw.
Downloaded almost seven million times, Google Analytics by Yoast is a popular plugin which integrates Google’s Analytics services into a WordPress site, and also adds additional functions including error page tracking, outbound click rates and downloads. Yoast is available in free and premium versions.
Yoast was notified on March 18, and the company responded by rapidly deploying a new version of the plugin, 5.3.3, the next day. If you use the plugin and have not visited your website to grab this update, it is recommended you do so now.
Via: ZDNet