Vulnerability in WordPress SEO by Yoast – Upgrade Immediately

A vulnerability has been discovered in WordPress SEO by Yoast. A fix was released yesterday and so was a ton of press coverage – everything from SearchEngineLand to TheHackerNews to Graham Cluley’s website to SERoundTable to ComputerWorld.

It looks like this may be the new normal we’re working with: Where vulnerability disclosure happens on the same day as a fix is released by the vendor. I’d love to hear your thoughts in the comments, whether your’e a plugin author, WordPress admin or anyone else involved or concerned about WordPress security.

What to do: Upgrade immediately to version 1.7.4 of WordPress SEO by Yoast which contains the fix.

The vulnerability is a SQL injection attack that needs admin access to be exploited. To the layman, this sounds like it’s unexploitable, but these kinds of security holes are usually exploited via a cross-site request forgery (CSRF) which tricks an admin into loading a link from their own website (where they’re logged in as admin) which then exploits the vulnerability using the admin’s privileges.

Yoast has an excellent user-friendly summary on their blog. Apparently the WordPress team put out an automatic update. Their blog also contains instructions on what to do if your’e using Yoast SEO Premium.


Did you enjoy this post? Share it!


  • Per Yoast (, a forced update was pushed by WordPress to all sites. So, unless someone has disabled automatic updates, their site should have automagically updated by now.

  • I'm afraid that the instant twitter notification world lends itself to this kind of hyper-bleed-it-leads reaction. As a business owner that provides security hardening along side of Wordfence premium on client sites, and as a long time developer on WordPress, it troubles me when I see the the kind of tabloid inspired media responses I see on this issue, and the lack of providing a reasonable amount of time for a software author to assess and resolve and release the result before pouncing on them to the point where damage control takes priority over everything.

    It takes a total effort. SEO by YOAST has a strong record of dealing with vulnerabilities quickly and transparently. But not all plugin and theme authors are cut from that cloth. And it doesn't take but a few bad apples to provide ammunition for those to justify loosing the hounds straightaway.

    The fair and responsible way, I believe:

    Notify the developer first.
    Provide a reasonable time for the developer to respond with a plan to fix and release.
    Determine how best to protect the user base in a responsible way.
    Defer to the developer to be transparent and to lead the effort until they show they won't or can't.

    I think that covers my thoughts on the matter.

    • Thanks for your feedback John. Apologies for taking so long to approve your comment.


  • Wordpress SEO by Yoast is used by a lot of web masters and CSRF being a tricky attack can directly deface the website.

    Thank you Wordfence once again to notify us about this vulnerability.

  • Received this email from GO DADDY saying to urgently do an update ' ACTION REQUIRED SECURITY UPDATE - done the update and now I have lost all my Woo commerce, all my products have gone off my website completely.
    My web builder is up a mountain skiing - can you help me with this huge problem ? Please ?

  • Steven Stern is right, mine actually updated itself right away so I had no issues with my WordPress SEO by Yoast.