Run WordPress SEO by Yoast on your website? You need to update it

Graham Cluley

WordPress SEO by YoastIt’s an incredibly popular WordPress plugin, because it’s tremendously good at what it does.

WordPress SEO by Yoast has over one million active users, running it on their self-hosted WordPress sites to boost their appearance in search engine results.

And, as we all know, the higher you appear in search engines, the more traffic you will get.

Being one of the most popular WordPress plugins, you would expect WordPress SEO by Yoast to work really well. And it does. I know that, because I run it on my own site here at grahamcluley.com. It’s a great plugin.

But that doesn’t mean it’s perfect.

Earlier today I was contacted by Ryan Dewhurst, a freelance security consultant and developer of the WordPress vulnerability scanner WPScan and a custodian of the WPScan Vulnerability Database.

Dewhurst explained to me that he had found a serious vulnerability in the WordPress SEO by Yoast plugin:

A remote unauthenticated attacker could use this vulnerability to execute arbitrary SQL queries on the victim WordPress web site by enticing an authenticated admin, editor or author user to click on a specially crafted link or visit a page they control.

One possible attack scenario would be an attacker adding their own administrative user to the target WordPress site, allowing them to compromise the entire web site.

More details of the vulnerability can be found here.

Now the good news is that the attack requires a user of the targeted website to click on a link or visit a boobytrapped webpage. This isn’t the kind of attack, therefore, which can be easily launched against every site running WordPress SEO by Yoast.

Nonetheless, it’s not the kind of flaw that you want lurking on your website.

Fortunately, the team at Yoast responded to Dewhurst’s responsible disclosure within 90 minutes of him first emailing them, and an update to the plugin was released earlier today. The paid-for Premium edition of the plugin has also been updated.

WordPress SEO by Yoast

Frankly, that’s a great response to a problem that could have put users at risk. It’s brilliant that Dewhurst believes in responsible disclosure, and it’s a terrific turnaround from Yoast.

If only all vulnerabilities were fixed as smoothly.

The latest version of WordPress SEO by Yoast (1.7.4) can be found in the WordPress plugin repository. If you run the plugin on your WordPress website, make sure that you are running the latest update.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

4 Replies to “Run WordPress SEO by Yoast on your website? You need to update it”

  1. Thank you Sir! I have at least 15 sites running this plugin. Time to visit my InfiniteWP dashboard and do a mass update. Thanks Again.

  2. Thanks for clarifying the situation regarding the premium version too as it wasn't obvious if that was also affected and that today's update I had in my dashboard covers this issue. Yoast are an excellent company I have found so their quick fix is no surprise.

  3. This is a minimal impact bug, with admin access you can install a plugin that contains backdoor anyways.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES