GA plugin security update & more

It’s been quite the week here at Yoast. Our release of a security update to WordPress SEO was followed by several other major plugins uncovering similar issues and a renewed interest among security researchers into big WordPress plugins. Turns out we had another issue to patch, so today we released an update to our Google Analytics plugin (both free and premium) too.

How serious are these issues?

One of the things we should have probably communicated better is the severity of the issues at hand. Some of the news outlets made it seem as though someone could walk straight into your site because of these issues, which is not even close to true. Our partners at Sucuri did a post this week on how to understand WordPress plugin vulnerabilities that’s a good read.

If you’ve read that post you’ll learn about the DREAD score, both the WordPress SEO issue and todays Google Analytics by Yoast issue were assigned a DREAD score of 5. That’s “Low”, but unfortunately, it’s still an issue, so you’re advised to updated immediately.

What was the issue in GA by Yoast?

The issue we fixed was another compound issue where an unauthenticated user could change the list of profiles in Google Analytics (he couldn’t change the active UA code, so he couldn’t impact your tracking directly). This list of profiles could be made malicious because Google Analytics allows property names that have JavaScript code in them. At that point an admin visiting the settings page could suffer from a stored XSS attack because we didn’t properly escape the property names on output. This is not something a hacker could easily automate, hence the low DREAD score, but if someone wanted to seriously target your site, he could.

We are thankful to Jouko Pynnönen for responsibly disclosing this issue to us.

Note that the fact that it’s responsibly disclosed to us means that we have not seen this issue being actively used by hackers yet. We’re fixing the hole before anyone is using it. Because we do that publicly, someone might start looking for this issue though, so please, please: update.

Are you done with those security issues yet?

I can thoroughly imagine that you’re done with these security issues. Trust me, so are we. But bugs happen, all we can do is fix them as soon as possible when we figure them out and inform you when they do. We’ve just started another review cycle with our partners at Sucuri, who will once again review all our major plugins for security issues. We work hard to prevent issues like this but sometimes we too make mistakes. For that, we apologize.

For now: update!

If you use the free version of our Google Analytics plugin, update to version 5.3.3. If you use Google Analytics by Yoast Premium, you should update to version 1.2.2, if you don’t know how, read our knowledge base article on updating premium plugins.

This post first appeared as GA plugin security update & more on Yoast. Whoopity Doo!