X
    Categories: SEOToolsWordpress

Major WordPress Exploit Affecting Sites using WordPress SEO by Yoast

The major exploit has been discovered in the extremely popular SEO WordPress plugin, WordPress SEO by Yoast. All WordPress blogs that are currently using this SEO plug-in need to upgrade to the latest version.

This exploit means that blogs using WordPress and this plugin are vulnerable to a Blind SQL Injection. This particular exploit requires a user be logged in, however since other exploits can make sites vulnerable to a rogue user gaining Admin, Editor or Author privileges, as well as the potential for phishing to gain login access, means that users of this plugin should update it immediately.

Are you affected? All versions of WordPress for SEO by Yoast prior to version 1.7.3.3 are vulnerable to this exploit. The updated version 1.7.4 was released today, March 11, 2015 which fixes the issue.

Security fix: fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor. Added strict sanitation to order_by and order params. Added extra nonce checks on requests sending additional parameters. Minimal capability needed to access the bulk editor is now Editor. Thanks Ryan Dewhurst from WPScan for discovering and responsibly disclosing this issue.

There are no signs this exploit has been used to exploit websites using this plugin, however now that the information on the vulnerability is released, it is only a matter of time before hackers begin to try and take advantage of those using this plugin that have not updated it recently.

Users who use an auto-update feature for WordPress plugins should check that it has been updated to version 1.7.4, or update it manually to do so.

WordPress SEO by Yoast is one of the most popular SEO plugins with over one million active installs, and almost half of all WordPress sites one of the three most popular SEO plugins.  And with Google now flagging sites that have been exploited through vulnerable WordPress plugins, it is worth updating immedaitely.

Added: If you have auto-updates enabled, WordPress.org has pushed an auto-update due to the severity of the issue.

Forced automatic update

Because of the severity of the issue, the WordPress.org team put out a forced automatic update (thanks!). If you didn’t specifically disable those and you were:

  • running on 1.7 or higher, you’ll have been auto-updated to 1.7.4.
  • If you were running on 1.6.*, you’ll have been updated to 1.6.4.
  • If you were running on 1.5.*, you’ll have been updated to 1.5.7.

If you are on an older version, we can’t auto-update you, but you should really update for tons of reasons. Of course you should really move to 1.7.4 as soon as you can anyway.

The following two tabs change content below.

Jennifer Slegg

Founder & Editor at The SEM Post
Jennifer Slegg is a longtime speaker and expert in search engine marketing, working in the industry for almost 20 years. When she isn't sitting at her desk writing and working, she can be found grabbing a latte at her local Starbucks or planning her next trip to Disneyland. She regularly speaks at Pubcon, SMX, State of Search, Brighton SEO and more, and has been presenting at conferences for over a decade.
Jennifer Slegg :Jennifer Slegg is a longtime speaker and expert in search engine marketing, working in the industry for almost 20 years. When she isn't sitting at her desk writing and working, she can be found grabbing a latte at her local Starbucks or planning her next trip to Disneyland. She regularly speaks at Pubcon, SMX, State of Search, Brighton SEO and more, and has been presenting at conferences for over a decade.