It’s an incredibly popular WordPress plugin, because it’s tremendously good at what it does.
WordPress SEO by Yoast has over one million active users, running it on their self-hosted WordPress sites to boost their appearance in search engine results.
And, as we all know, the higher you appear in search engines, the more traffic you will get.
Being one of the most popular WordPress plugins, you would expect WordPress SEO by Yoast to work really well. And it does. I know that, because I run it on my own site here at grahamcluley.com. It’s a great plugin.
But that doesn’t mean it’s perfect.
Dewhurst explained to me that he had found a serious vulnerability in the WordPress SEO by Yoast plugin:
A remote unauthenticated attacker could use this vulnerability to execute arbitrary SQL queries on the victim WordPress web site by enticing an authenticated admin, editor or author user to click on a specially crafted link or visit a page they control.
One possible attack scenario would be an attacker adding their own administrative user to the target WordPress site, allowing them to compromise the entire web site.
More details of the vulnerability can be found here.
Now the good news is that the attack requires a user of the targeted website to click on a link or visit a boobytrapped webpage. This isn’t the kind of attack, therefore, which can be easily launched against every site running WordPress SEO by Yoast.
Nonetheless, it’s not the kind of flaw that you want lurking on your website.
Fortunately, the team at Yoast responded to Dewhurst’s responsible disclosure within 90 minutes of him first emailing them, and an update to the plugin was released earlier today. The paid-for Premium edition of the plugin has also been updated.
Frankly, that’s a great response to a problem that could have put users at risk. It’s brilliant that Dewhurst believes in responsible disclosure, and it’s a terrific turnaround from Yoast.
If only all vulnerabilities were fixed as smoothly.
The latest version of WordPress SEO by Yoast (1.7.4) can be found in the WordPress plugin repository. If you run the plugin on your WordPress website, make sure that you are running the latest update.