Update Yoast’s Google Analytics for WordPress Plugin v4.1.3 – XSS Scripting Vulnerability Fixed

by David Whitehouse
Bronco - Digital Marketing Agency

A while ago I started seeing some very odd links appearing, ones that looked far too natural, it appeared as though the majority of them had the Google Analytics for WordPress plugin, developed by Joost de Valk, with the “Track outbound clicks & downloads” selected.

So I started to wonder if some how these sites had been hacked using a vulnerability somewhere in the plugin. I had a look through the code until I got to the function in charge of tagging the outbound links, although I could read the PHP code, I don’t really have much knowledge about XSS and SQL injection and stuff like that, so I asked James to have a look (the guy that likes to break things).

So James started having a look and after a bit of time studying the code he told me he had put a comment on my blog (I was running the Google Analytics for WordPress plugin with the track outbound clicks option selected). So I go to my blog and I see this:

On clicking the link, the javascript simply displays you the cookies you have for the site in question – not exactly dangerous, but it could be modified to cause much more mayhem I’m guessing.

The code James used was this:

Hi this is an <a href="http://www.google.com']);alert(document.cookie);return false;&#047;&#047;" rel="nofollow">interesting link</a> don't you think?

We let Joost know, James suggested a fix and Yoast got it sorted almost immediately, you can download the latest version here (version 4.1.3). If you haven’t used the Google Analytics plugin by Joost (Yoast), I’d highly recommend trying it out. I’ve currently got it running on my personal site and it tags all out going clicks, which is great for tracking affiliate clicks and seeing where the visitor came from, amongst other things.

Bronco - Digital Marketing Agency
Making your inbox more interesting
Looking to keep up to date, or find out those things we can’t mention on the blog? Then sign up to our semi-regular newsletter. Don’t worry, we won’t spam you.

11 Comments

Get in Touch

Things are better when they’re made simpler. That’s why the David Naylor blog is now just that; a blog. No sales pages, no contact form - just interesting* info about SEO.

If you’d like to find out more about the Digital Marketing services we do provide then head over to Bronco (our main company website) to get in touch.

Get in Touch Today * Interestingness not guaranteed
Part of the Bronco family