WordPress has easily become one of, if not thee, most popular blogging platform in the world. Millions of websites (including our very own!) have been built on the ever popular Content Managed platform. With popularity comes heightened attention from hackers who endeavour to find flaws and weaknesses in WordPress based installations. WordPress regularly pushes updates to patch any newly found vulnerabilities, but that’s only protecting the core of the website. The main concern lays with third party themes and plugins and whether their developers keep them up to date with fixes for known weaknesses.
In the past couple of months one such example featuring a well known and common plugin was the SQL injection found in WordPress SEO by Yoast.
If you are using the WordPress SEO by Yoast plugin (version 18.104.22.168), please ensure you have updated to the latest version (1.7.4), as a SQL injection vulnerability was reported by the WP Scan Vulnerability Database.
The WPScan Vulnerability Database has been compiled by the WPScan Team and others who have contributed to the development of the vulnerability scanner. Anyone can submit flaws through the website, but all issues are entered into the database manually.
The vulnerabilities are spread across three different categories: WordPress core, plugins and themes. The information includes affected software versions, references and classification.
Developers and WPScan users can make use of the data for free via the website or the API as long as it’s not for commercial purposes. A license is required for commercial usage of the vulnerability database.