Update Yoast’s Google Analytics for WordPress Plugin v4.1.3 – XSS Scripting Vulnerability Fixed
A while ago I started seeing some very odd links appearing, ones that looked far too natural, it appeared as though the majority of them had the Google Analytics for WordPress plugin, developed by Joost de Valk, with the “Track outbound clicks & downloads” selected.
So I started to wonder if some how these sites had been hacked using a vulnerability somewhere in the plugin. I had a look through the code until I got to the function in charge of tagging the outbound links, although I could read the PHP code, I don’t really have much knowledge about XSS and SQL injection and stuff like that, so I asked James to have a look (the guy that likes to break things).
So James started having a look and after a bit of time studying the code he told me he had put a comment on my blog (I was running the Google Analytics for WordPress plugin with the track outbound clicks option selected). So I go to my blog and I see this:
On clicking the link, the javascript simply displays you the cookies you have for the site in question – not exactly dangerous, but it could be modified to cause much more mayhem I’m guessing.
The code James used was this:
Hi this is an <a href="http://www.google.com']);alert(document.cookie);return false;//" rel="nofollow">interesting link</a> don't you think?
We let Joost know, James suggested a fix and Yoast got it sorted almost immediately, you can download the latest version here (version 4.1.3). If you haven’t used the Google Analytics plugin by Joost (Yoast), I’d highly recommend trying it out. I’ve currently got it running on my personal site and it tags all out going clicks, which is great for tracking affiliate clicks and seeing where the visitor came from, amongst other things.
Carla Marshall 672 days ago
http://www.sorbetdigital.comFantastic spot there David – well done to Yoast for responding so quickly too.
David Whitehouse 672 days ago
Cheers Carla!
David Whitehouse 672 days ago
To be fair Carla, it was James that worked it all out, I just gave him a nudge, and he produced the solution for Yoast too – so really it’s down to James that it got fixed so quickly!!!
David Ewing 672 days ago
http://www.ewingenterprise.com/Hey David great catch and *James for the fix! 2 questions. 1) Do you have a link to Yoasts Google analytics plugin? and 2) I love your authors box at the end of the post is that a plugin or did you make it in CSS?
David Whitehouse 671 days ago
Hi David, sure it’s here: http://yoast.com/wordpress/google-analytics/
Joost de Valk 672 days ago
http://yoast.comThanks guys! Though it’s never fun to find security issues, I prefer them coming like this: email, good explanation and even a suggested fix. Awesome!
Google Analytics for WordPress Plugin Vulnerability Fixed 671 days ago
[...] that you update this plugin immediately!To find out more about this security issue, please read "Update Yoast's Google Analytics for WordPress Plugin V4.1.3 — XSS Scripting Vulnerability Fixed."Thanks David and James for finding and reporting this issue. And thanks Joost for updating your [...]
WARNING for users of the Google Analytics Plugin for WordPress « Totally Temberton 671 days ago
[...] http://www.davidnaylor.co.uk/update-yoasts-google-analytics-for-wordpress-plugin-xss-scripting-vulne… [...]
Ricardus 671 days ago
http://www.wpwebhost.comThat’s great.. Good job on the suggested fix as well..
Google Analytics for WordPress 4.1.2 XSS Exploit | Tech Blog is Tech 662 days ago
[...] scripting (XSS) exploits in the Google Analytics for WordPress plugin (version 4.1.2). Apparently some others noticed this as well and it was reported to the author who subsequently fixed the issue in the next [...]
Michael 639 days ago
http://www.learncomputer.comNice catch, David! I use this plugin on two of my sites (learncomputer.com, goodnetworking.com). I better update it quickly!