Executive Summary

The Yoast SEO plugin for WordPress has a vulnerability known as Insecure Direct Object References (IDOR) in all versions up to and including 26.5. This vulnerability arises because the Meta Search REST API endpoint does not properly verify whether a user owns a post before allowing access to its SEO metadata.

As a result, authenticated users with Contributor-level access or higher can exploit this flaw to read sensitive SEO metadata from any post on the site by manipulating the 'post_id' parameter. This includes posts owned by other users, private posts, and draft posts.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated users with Contributor-level access and above to read sensitive SEO metadata from any post on the site, including private and draft posts owned by other users. This unauthorized access to potentially sensitive information could lead to violations of data protection standards and regulations such as GDPR or HIPAA, which require strict controls on access to personal and sensitive data.

Since the vulnerability involves insufficient authorization checks and exposure of data that should be restricted, organizations using the affected Yoast SEO plugin versions may face compliance risks related to unauthorized data disclosure.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing unauthorized users with Contributor-level access or above to view sensitive SEO metadata from posts they should not have access to. This could lead to exposure of private or draft content, potentially revealing confidential information or internal strategies.

While the vulnerability does not allow modification or deletion of content, the unauthorized disclosure of metadata could be leveraged for further attacks or information gathering.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized access to SEO metadata via the Meta Search REST API endpoint using the 'post_id' parameter by authenticated users with Contributor-level access or higher.

To detect exploitation attempts on your system or network, you can monitor HTTP requests to the Yoast SEO Meta Search REST API endpoint, looking for unusual or unauthorized access patterns, especially requests containing the 'post_id' parameter made by users with Contributor or higher roles.

Suggested commands include using web server logs or network monitoring tools to filter for such requests. For example, using grep on Apache or Nginx logs:

• grep 'wp-json/yoast/v1/meta/search' /var/log/apache2/access.log | grep 'post_id='
• grep 'wp-json/yoast/v1/meta/search' /var/log/nginx/access.log | grep 'post_id='

Additionally, monitoring WordPress user activity logs for Contributor-level users making REST API calls to Yoast SEO endpoints can help identify suspicious behavior.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update the Yoast SEO plugin to version 26.6 or later, where the vulnerability has been fixed by improving capability checks to prevent unauthorized access to sensitive metadata.

If immediate updating is not possible, consider restricting Contributor-level and higher users' access to the Meta Search REST API endpoint or disabling the Yoast SEO plugin temporarily.

Additionally, review user roles and permissions to ensure that only trusted users have Contributor-level or higher access.

Useful 0 Not Useful 0