Vulnerability in WordPress SEO by Yoast – Upgrade Immediately
This entry was posted in WordPress Security on March 12, 2015 by Mark Maunder 6 Replies
A vulnerability has been discovered in WordPress SEO by Yoast. A fix was released yesterday and so was a ton of press coverage – everything from SearchEngineLand to TheHackerNews to Graham Cluley’s website to SERoundTable to ComputerWorld.
It looks like this may be the new normal we’re working with: Where vulnerability disclosure happens on the same day as a fix is released by the vendor. I’d love to hear your thoughts in the comments, whether your’e a plugin author, WordPress admin or anyone else involved or concerned about WordPress security.
What to do: Upgrade immediately to version 1.7.4 of WordPress SEO by Yoast which contains the fix.
The vulnerability is a SQL injection attack that needs admin access to be exploited. To the layman, this sounds like it’s unexploitable, but these kinds of security holes are usually exploited via a cross-site request forgery (CSRF) which tricks an admin into loading a link from their own website (where they’re logged in as admin) which then exploits the vulnerability using the admin’s privileges.
Yoast has an excellent user-friendly summary on their blog. Apparently the WordPress team put out an automatic update. Their blog also contains instructions on what to do if your’e using Yoast SEO Premium.