A security vulnerability in the plug-in allows an unauthenticated attacker to store arbitrary HTML, including JavaScript, in the WordPress administrator’s Dashboard on the target system. The JavaScript will be triggered when an administrator views the plug-in’s settings panel.
The bug was found by Klikki Oy in late February but the full impact didn't become clear until a more detailed investigation in March. There is now an update available correcting the issue.
The Google Analytics by Yoast plugin is vulnerable to persistent cross-site scripting (XSS) vulnerability that allows hackers to execute malicious PHP code on the server, which leads to the takeover of administrator accounts.
It is relatively easy for an attacker to execute server-side code by exploiting this vulnerability. Under default WordPress configuration, a malicious user can use this flaw to write PHP files on the server via the plugin or theme editors.
The impact is a combination of two underlying problems. Firstly, missing access control allows an unauthenticated user to modify some of the settings associated with the plug-in. It’s possible overwrite the existing OAuth2 credentials which the plug-in uses for retrieving data from Google Analytics, and thereby connect the plug-in with the attacker’s own Google Analytics account.
Secondly, the plug-in renders an HTML dropdown menu based on the data downloaded from Google Analytics. This data is not sanitized or HTML-escaped. If the said attacker enters HTML code such as <script> tags in the properties in their Google Analytics account settings, it will appear in the WordPress administrative Dashboard of the targeted system and get executed whenever someone views the settings.
Yoast was already notified on March 18, 2015. A new version of the plug-in (5.3.3) was released the next day.
