Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Vulnerability in WordPress SEO by Yoast – Upgrade Immediately

This entry was posted in WordPress Security on March 12, 2015 by Mark Maunder   6 Replies

A vulnerability has been discovered in WordPress SEO by Yoast. A fix was released yesterday and so was a ton of press coverage – everything from SearchEngineLand to TheHackerNews to Graham Cluley’s website to SERoundTable to ComputerWorld.

It looks like this may be the new normal we’re working with: Where vulnerability disclosure happens on the same day as a fix is released by the vendor. I’d love to hear your thoughts in the comments, whether your’e a plugin author, WordPress admin or anyone else involved or concerned about WordPress security.

What to do: Upgrade immediately to version 1.7.4 of WordPress SEO by Yoast which contains the fix.

The vulnerability is a SQL injection attack that needs admin access to be exploited. To the layman, this sounds like it’s unexploitable, but these kinds of security holes are usually exploited via a cross-site request forgery (CSRF) which tricks an admin into loading a link from their own website (where they’re logged in as admin) which then exploits the vulnerability using the admin’s privileges.

Yoast has an excellent user-friendly summary on their blog. Apparently the WordPress team put out an automatic update. Their blog also contains instructions on what to do if your’e using Yoast SEO Premium.

 

Did you enjoy this post? Share it!

6 Comments on "Vulnerability in WordPress SEO by Yoast – Upgrade Immediately"

Steven Stern March 12, 2015 at 2:20 pm

Per Yoast (https://yoast.com/wordpress-seo-security-release/), a forced update was pushed by WordPress to all sites. So, unless someone has disabled automatic updates, their site should have automagically updated by now.

John Teague March 12, 2015 at 7:43 pm

I'm afraid that the instant twitter notification world lends itself to this kind of hyper-bleed-it-leads reaction. As a business owner that provides security hardening along side of Wordfence premium on client sites, and as a long time developer on WordPress, it troubles me when I see the the kind of tabloid inspired media responses I see on this issue, and the lack of providing a reasonable amount of time for a software author to assess and resolve and release the result before pouncing on them to the point where damage control takes priority over everything.

It takes a total effort. SEO by YOAST has a strong record of dealing with vulnerabilities quickly and transparently. But not all plugin and theme authors are cut from that cloth. And it doesn't take but a few bad apples to provide ammunition for those to justify loosing the hounds straightaway.

The fair and responsible way, I believe:

Notify the developer first.
Provide a reasonable time for the developer to respond with a plan to fix and release.
Determine how best to protect the user base in a responsible way.
Defer to the developer to be transparent and to lead the effort until they show they won't or can't.

I think that covers my thoughts on the matter.

mark March 12, 2015 at 9:50 pm

Thanks for your feedback John. Apologies for taking so long to approve your comment.

Mark.

Developers League March 14, 2015 at 8:26 am

Wordpress SEO by Yoast is used by a lot of web masters and CSRF being a tricky attack can directly deface the website.

Thank you Wordfence once again to notify us about this vulnerability.

Debi Avery March 18, 2015 at 6:23 am

Received this email from GO DADDY saying to urgently do an update ' ACTION REQUIRED SECURITY UPDATE - done the update and now I have lost all my Woo commerce, all my products have gone off my website completely.
My web builder is up a mountain skiing - can you help me with this huge problem ? Please ?

Tabby April 29, 2015 at 10:45 pm

Steven Stern is right, mine actually updated itself right away so I had no issues with my WordPress SEO by Yoast.

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates