Vulnerability in Yoast SEO 3.2.4 for WordPress. Severity 5.3 (Medium)

Update on May 11th: As per Joost’s (Yoast founder) request (see comments below), we have gone ahead and modified the title of this post to reflect the CVSS score of the vulnerability. We announced yesterday that we are standardizing on CVSS as our vulnerability severity metric which removes any subjectivity and creates a standardized way of calculating vulnerabilities. The vulnerability score for this issue is 5.3 (Medium). I should also add that the temporal and environmental scores are slightly lower at 4.3 (also Medium). I have added some more detail on the comments below.

One of our security researchers, Panagiotis Vagenas, discovered a vulnerability in Yoast SEO version 3.2.4 and earlier that allows any user with ‘subscriber’ level access to download your Yoast SEO settings. For sites that have open registration, this means that anyone can register and download your Yoast SEO settings by simply creating an account and running the exploit.

We reported this vulnerability to Yoast Tuesday May 3rd and their team has released a fix today, Friday May 6th. We recommend that you upgrade immediately if you are using Yoast SEO. This vulnerability is fixed in Yoast SEO version 3.2.5.

If you are using Wordfence Premium, you have been protected against this vulnerability being exploited from the moment we notified the plugin author which was on Tuesday. We released a firewall rule via the Threat Defense Feed on Tuesday that is already protecting your site. This is per our standard disclosure procedure. See below for details.

Details of the Vulnerability

Yoast SEO plugin has a Sensitive Data Exposure vulnerability. Plugin registers the following AJAX actions:

wpseo_export
get_focus_keyword_usage
get_term_keyword_usage

These actions are privileged therefore are available only to registered users, but no special capabilities are required to perform them. Any user with a valid account to the target website can exploit those actions to get information about Yoast SEO settings and post metadata relative to focus and terms keywords.

This kind of information should be available only to users with administrative capabilities. To be more precise, to users that have the manage_options capability, because the plugin’s option pages require this capability by default.

We will not be releasing an exploit proof of concept at this stage but we shared a PoC with the Yoast team on Tuesday to help them confirm and fix the vulnerability.

Wordfence Standard Disclosure Procedure

At Wordfence the security of our customers and the greater WordPress community is of paramount importance to us. With this in mind we have developed standard disclosure procedures when we discover a vulnerability that are as follows:

  1. One of our research team discovers a vulnerability and shares it with the rest of the team who verifies the vulnerability.
  2. We develop a Firewall rule to protect our customers. This rule is obfuscated to prevent reverse engineering.
  3. We notify the vendor and simultaneously release a firewall rule to protect our premium customers via the Threat Defense Feed. Customer sites are updated immediately with the rule and no customer action is required.
  4. Vendor releases a fix, usually after several days and we announce the existence of the vulnerability at the same time to encourage the community to upgrade.
  5. Wordfence community (free) customers receive the firewall rule 30 days after the initial release to Premium customers.
  6. At a future date we may release a PoC so that other firewall providers can create rules to protect their customers too.

Did you enjoy this post? Share it!

Comments

10 Comments
  • Cracking work boys.

  • Good job! Strange enough Yoast doesn't mention any security fixes. Thanks for the update.

  • Thanks again Wordfence!

  • Does this affect version 2.35 as well? I've been holding off on upgrading to 3.x because of the complete disaster it has been.

    • This did affect every version. However, as it was a very low severity issue (which the blog post above fails to mention), I wouldn't worry about that part too much. Sorry to hear you say 3.0 was a disaster, we think it's a huge improvement and I'd encourage you to try 3.2.5!

  • Hi, can you also check our seo plugin on security issues?

    • Hi Severin. I'll have Pan or one of our other researchers look at it. If we find anything, we'll use the standard disclosure process i.e. will contact you and work with you privately until your customers are updated.

  • As you've now gone ahead and started classifying vulnerabilities better (as per your latest post about the medium level vulnerability in your own plugin), I would ask you to update this post and its title with the severity as well.

    All the settings that people could get (which btw was an issue and we are thankful for your report), were also visible on the frontend of the site. If you'd calculate a DREAD score you'd probably come to a 0, simply because the data is already public.

    • Hi Joost. We don't use DREAD because it is inconsistent and for that reason even Microsoft, the creators of DREAD, stopped using the system back in 2008.

      I've gone ahead and updated the vulnerability report with a CVSS score and a link to the calculation we did.

      The vulnerability exposes non-public data which includes the site templates and 'fbconnectkey' which it looks like you're generating but I don't see where it's exposed on the UI. It also includes 'excluded-posts' which is a list of post ID's that are not supposed to be included in the sitemap. It also is a dump of your entire site settings (153 lines of data in the case of our test server) all in one place which saves a significant amount of reverse engineering if someone wanted this.

  • Glad this is a low severity issue as I love Yoast!

    Is the issue completely fixed in 3.2.5?