Yoast SEO <= - Blind SQL Injection

Sign up to our free email alerts service for instant vulnerability notifications!

Title: WordPress SEO by Yoast <= - Blind SQL Injection
Version/s Tested:
CVSSv2 Base Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
CVSSv2 Temporal Score: 7 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)


WordPress SEO by Yoast is a popular WordPress plugin (wordpress-seo) used to improve the Search Engine Optimization (SEO) of WordPress sites. The latest version at the time of writing ( has been found to be affected by two authenticated (admin, editor or author user) Blind SQL Injection vulnerabilities. The plugin has more than one million downloads according to WordPress.

Technical Description:

The authenticated Blind SQL Injection vulnerability can be found within the 'admin/class-bulk-editor-list-table.php' file. The orderby and order GET parameters are not sufficiently sanitised before being used within a SQL query.

Line 529:

$orderby = ! empty( $_GET['orderby'] ) ? esc_sql( sanitize_text_field( $_GET['orderby'] ) ) : 'post_title';

Line 533:

order = esc_sql( strtoupper( sanitize_text_field( $_GET['order'] ) ) );

If the GET orderby parameter value is not empty it will pass its value through WordPess's own esc_sql() function. According to WordPress this function 'Prepares a string for use as an SQL query. A glorified addslashes() that works with arrays.'. However, this is not sufficient to prevent SQL Injection as can be seen from our Proof of Concept.

Proof of Concept (PoC):

The following GET request will cause the SQL query to execute and sleep for 10 seconds if clicked on as an authenticated admin, editor or author user.*%20from%20(select(sleep(10)))a)&order=asc

Using SQLMap:

python sqlmap.py -u "*&order=asc" --batch --technique=B --dbms=MySQL --cookie="wordpress_9d...; wordpress_logged_in_9dee67...;"


As there is no anti-CSRF protection a remote unauthenticated attacker could use this vulnerability to execute arbitrary SQL queries on the victim WordPress web site by enticing an authenticated admin, editor or author user to click on a specially crafted link or visit a page they control.

One possible attack scenario would be an attacker adding their own administrative user to the target WordPress site, allowing them to compromise the entire web site.


March 10th 2015 - 15:30 GMT: Vulnerability discovered by Ryan Dewhurst (WPScan Team - Dewhurst Security).
March 10th 2015 - 18:30 GMT: Technical review by FireFart (WPScan Team).
March 10th 2015 - 20:00 GMT: Vendor contacted via email.
March 10th 2015 - 21:25 GMT: Vendor replies, confirms issue and gave expected patch timeline.
March 11th 2015 - 12:05 GMT: Vendor released version 1.7.4 which patches this issue.
March 11th 2015 - 12:30 GMT: Advisory released.


Plugin wordpress-seo
fixed in version 1.7.4


CVE 2015-2292
CVE 2015-2293
URL https://wordpress.org/plugins/wordpress-seo/changelog/


OWASP Top 10 A1: Injection


Submitter ethicalhack3r
Submitter Website https://dewhurstsecurity.com/
Submitter Twitter ethicalhack3r
Views 9671
Verified Yes


Publicly Published 2015-03-11 (over 1 year ago)
Added 2015-03-11 (over 1 year ago)
Last Updated 2016-07-28 (3 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.