Another popular WordPress plugin by Yoast has been found to be vulnerable to a critical flaw that could be exploited by hackers to hijack the affected website.

The critical vulnerability actually resides in the highly popular Google Analytics by Yoast plugin, which allows WordPress admins to monitor website traffic by connecting the plugin to their Google Analytics account.

The Google Analytics by Yoast WordPress plugin has been downloaded nearly 7 Million times with more than 1 million active installs, which makes the issue rather more serious.

A week back, we reported that all the versions of 'WordPress SEO by Yoast' was vulnerable to Blind SQL Injection web application vulnerability that allowed an attacker to execute arbitrary payload on the victim WordPress site in order to take control of it.

However, the Google Analytics by Yoast plugin is vulnerable to persistent cross-site scripting (XSS) vulnerability that allows hackers to execute malicious PHP code on the server, which leads to the takeover of administrator accounts.

Jouko Pynnönen from the Finnish IT firm Klikki Oy discovered and responsibly disclosed the vulnerability to Yoast, which, within a day, released a patch for the WordPress component that makes it safe from stored XSS attacks.

In an advisory posted to the Full Disclosure mailing list, Pynnonen explained that flaw allows an unauthenticated attacker to store malicious JavaScript or HTML code in the WordPress Administrator Dashboard on the affected system.

This malicious code could then be triggered when an administrator merely views the Yoast plugin settings panel. All of this can be successfully accomplished without any further need of authentication.

"The impact is a combination of two underlying problems," Pynnonen writes explaining that the lack of access control lets an unauthenticated user to make changes to some of the settings associated with the plug-in.

By overwriting the existing OAuth2 credentials used to fetch statistics from the real Google Analytics account, it would be possible to connect the plug-in with the attacker's own Google Analytics account.
"Secondly, the plug-in renders an HTML dropdown menu based on the data downloaded from Google Analytics," he writes. "This data is not sanitized or HTML-escaped. If the said attacker enters HTML code such as tags in the properties in their Google Analytics account settings, it will appear in the WordPress administrative Dashboard of the targeted system and get executed whenever someone views the settings."
A Proof-of-concept video, demonstrating the possibility to hijack the Google Analytics account, has also been released publicly, which you can watch below:

Yoast was notified of the issue on Wednesday, and it released a new version of Google Analytics by Yoast plugin (5.3.3) on Thursday. However, the company said there has been no evidence that the vulnerability was exploited in the wild.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.