CVE-2024-4984: Yoast SEO Flaw Exposes Millions of WordPress Sites to Attack
Yoast SEO, the widely used WordPress plugin with over 5 million active installations, has been found vulnerable to a Stored Cross-Site Scripting (XSS) flaw. This vulnerability, tracked as CVE-2024-4984, could allow malicious actors to inject harmful scripts into websites, potentially compromising visitor data, redirecting traffic, or even taking control of affected sites.
What is the Vulnerability?
The XSS flaw exists in the “display_name” author meta field, which is used to display the author’s name on blog posts and pages. Due to insufficient input sanitization and output escaping, attackers with contributor-level access or higher can manipulate this field to inject malicious code. When unsuspecting users visit the compromised page, the embedded script executes, potentially causing significant damage.
Security researcher rob006 discovered and responsibly disclosed this vulnerability.
Who is Affected?
Any WordPress website running Yoast SEO versions 22.6 or lower is at risk. Considering the plugin’s immense popularity, millions of websites could be exposed to this vulnerability. Website owners, administrators, and developers are strongly urged to update to the latest version (22.7) immediately.
What are the Risks?
The impact of a successful XSS attack can be severe. Potential consequences include:
- Data Theft: Attackers can steal sensitive information like user credentials or financial data.
- Website Defacement: Malicious actors can alter a website’s appearance or content.
- Phishing Attacks: Hackers can create fake login pages or pop-ups to trick users into revealing their information.
- Malware Distribution: Injected scripts can download malware onto visitors’ devices.
Mitigation
The most critical step is to update Yoast SEO to version 22.7 or later. This version includes a patch that addresses the XSS vulnerability. It’s also crucial to review user permissions and limit contributor-level access to trusted individuals only.
