It’s been quite the week here at Yoast. Our release of a security update to WordPress SEO was followed by several other major plugins uncovering similar issues and a renewed interest among security researchers into big WordPress plugins. Turns out we had another issue to patch, so today we released an update to our Google Analytics plugin (both free and premium) too.
How serious are these issues?
One of the things we should have probably communicated better is the severity of the issues at hand. Some of the news outlets made it seem as though someone could walk straight into your site because of these issues, which is not even close to true. Our partners at Sucuri did a post this week on how to understand WordPress plugin vulnerabilities that’s a good read.
If you’ve read that post you’ll learn about the DREAD score, both the WordPress SEO issue and todays Google Analytics by Yoast issue were assigned a DREAD score of 5. That’s “Low”, but unfortunately, it’s still an issue, so you’re advised to updated immediately.
What was the issue in GA by Yoast?
The issue we fixed was another compound issue where an unauthenticated user could change the list of profiles in Google Analytics (he couldn’t change the active UA code, so he couldn’t impact your tracking directly). This list of profiles could be made malicious because Google Analytics allows property names that have JavaScript code in them. At that point an admin visiting the settings page could suffer from a stored XSS attack because we didn’t properly escape the property names on output. This is not something a hacker could easily automate, hence the low DREAD score, but if someone wanted to seriously target your site, he could.
We are thankful to Jouko Pynnönen for responsibly disclosing this issue to us.
Note that the fact that it’s responsibly disclosed to us means that we have not seen this issue being actively used by hackers yet. We’re fixing the hole before anyone is using it. Because we do that publicly, someone might start looking for this issue though, so please, please: update.
Are you done with those security issues yet?
I can thoroughly imagine that you’re done with these security issues. Trust me, so are we. But bugs happen, all we can do is fix them as soon as possible when we figure them out and inform you when they do. We’ve just started another review cycle with our partners at Sucuri, who will once again review all our major plugins for security issues. We work hard to prevent issues like this but sometimes we too make mistakes. For that, we apologize.
For now: update!
If you use the free version of our Google Analytics plugin, update to version 5.3.3. If you use Google Analytics by Yoast Premium, you should update to version 1.2.2, if you don’t know how, read our knowledge base article on updating premium plugins.
This post first appeared as GA plugin security update & more on Yoast. Whoopity Doo!
Source:: SEO
Recent Posts
- W3 Total Cache high-risk XSS vulnerability September 23, 2016
- Ask Yoast: Links to PDF files September 23, 2016
- eCommerce SEO checklist: 27 tips for a better online shop September 22, 2016
- 5 SEO copywriting mistakes you should avoid September 21, 2016
- WordPress: How to noindex a post! September 20, 2016
- Ask Yoast: why connect GSC with Yoast SEO? September 19, 2016
- Interview with Boris Veldhuijzen van Zanten (TNW) September 16, 2016
- Holiday season SEO: start preparing NOW! September 15, 2016
- Tagging posts properly for users and SEO September 14, 2016
- 7 keyword research mistakes you should avoid September 13, 2016
Main Menu
- Adwords Help – Adwords Companies – Adwords Marketing – Google Adwords Help
- Adwords Help – Adwords For Real Estate Brokers – Adowrds For Mortgage Brokers
- free consultation
- Free Website Analysis
- Plumbing Leads – Adwords For Plumbers – Adwords For Plumbing – Plumber Leads
- Privacy Policy And Terms Of Service
- Testimonials
- THANK YOU
- THANK YOU FOR YOUR INTEREST
- Thank You For Your Interest In Home Services Ads
- Thank You For Your Interest Now Watch This Video
- Thank You Here Is Your Free eBook
- Home
- Blog
- About
- Contact
- Demo
- Local SEO
- Login
- National SEO
- PPC Management
- Social Media Marketing