Vulnerability in WordPress SEO by Yoast – Upgrade Immediately
A vulnerability has been discovered in WordPress SEO by Yoast. A fix was released yesterday and so was a ton of press coverage – everything from SearchEngineLand to TheHackerNews to Graham Cluley’s website to SERoundTable to ComputerWorld.
It looks like this may be the new normal we’re working with: Where vulnerability disclosure happens on the same day as a fix is released by the vendor. I’d love to hear your thoughts in the comments, whether your’e a plugin author, WordPress admin or anyone else involved or concerned about WordPress security.
What to do: Upgrade immediately to version 1.7.4 of WordPress SEO by Yoast which contains the fix.
The vulnerability is a SQL injection attack that needs admin access to be exploited. To the layman, this sounds like it’s unexploitable, but these kinds of security holes are usually exploited via a cross-site request forgery (CSRF) which tricks an admin into loading a link from their own website (where they’re logged in as admin) which then exploits the vulnerability using the admin’s privileges.
Yoast has an excellent user-friendly summary on their blog. Apparently the WordPress team put out an automatic update. Their blog also contains instructions on what to do if your’e using Yoast SEO Premium.
Comments
2:20 pm
Per Yoast (https://yoast.com/wordpress-seo-security-release/), a forced update was pushed by WordPress to all sites. So, unless someone has disabled automatic updates, their site should have automagically updated by now.
7:43 pm
I'm afraid that the instant twitter notification world lends itself to this kind of hyper-bleed-it-leads reaction. As a business owner that provides security hardening along side of Wordfence premium on client sites, and as a long time developer on WordPress, it troubles me when I see the the kind of tabloid inspired media responses I see on this issue, and the lack of providing a reasonable amount of time for a software author to assess and resolve and release the result before pouncing on them to the point where damage control takes priority over everything.
It takes a total effort. SEO by YOAST has a strong record of dealing with vulnerabilities quickly and transparently. But not all plugin and theme authors are cut from that cloth. And it doesn't take but a few bad apples to provide ammunition for those to justify loosing the hounds straightaway.
The fair and responsible way, I believe:
Notify the developer first.
Provide a reasonable time for the developer to respond with a plan to fix and release.
Determine how best to protect the user base in a responsible way.
Defer to the developer to be transparent and to lead the effort until they show they won't or can't.
I think that covers my thoughts on the matter.
9:50 pm
Thanks for your feedback John. Apologies for taking so long to approve your comment.
Mark.
8:26 am
Wordpress SEO by Yoast is used by a lot of web masters and CSRF being a tricky attack can directly deface the website.
Thank you Wordfence once again to notify us about this vulnerability.
6:23 am
Received this email from GO DADDY saying to urgently do an update ' ACTION REQUIRED SECURITY UPDATE - done the update and now I have lost all my Woo commerce, all my products have gone off my website completely.
My web builder is up a mountain skiing - can you help me with this huge problem ? Please ?
10:45 pm
Steven Stern is right, mine actually updated itself right away so I had no issues with my WordPress SEO by Yoast.