Short Pixel and Yoast SEO Plugins Security Issues (May 2023)

This week there were two plugins that had security vulnerabilities and both were reported to be medium.

Shortpixel Adaptive Images Plugin

The ShortPixel Adaptive Images plugin for WordPress has a security flaw in versions up to 3.7.1. This vulnerability is related to a missing security check on the 'shortpixel_ai_handle_page_action' ajax action. As a result, attackers who are not authorized can modify plugin settings by creating a fake request. They can do this by deceiving a site administrator into taking an action, such as clicking a link.

Yoast SEO Plugin

The Yoast SEO plugin extensions, the Premium Extension v20.4 or lower had broken access control and the extension Local Plugin with cross-site request forgery.

A patch was released for the premium extension however no updates on the Local extension from Yoast.

Sources:
1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/shortpixel-adaptive-images/shortpixel-adaptive-images-371-cross-site-request-forgery-via-shortpixel-ai-handle-page-action
2. https://patchstack.com/database/vulnerability/wordpress-seo-premium/wordpress-yoast-seo-premium-plugin-20-4-unauthenticated-zapier-api-key-reset-vulnerability
3. https://patchstack.com/database/vulnerability/wpseo-local/wordpress-yoast-seo-local-plugin-14-8-cross-site-request-forgery-csrf-vulnerability

Last edited by Admin on Thu May 11, 2023 8:38 am; edited 2 times in total (Reason for editing : added ref links)

These plugins are usually patched as soon as the vulnerabilities are found. I wouldn't be too concerned and keep the plugins updated at all times.