Critical Vulnerability in WordPress SEO Plugin by Yoast

Signup Page

A critical vulnerability has been found in the popular WordPress SEO plugin by Yoast, allowing users with author, editor, or administrator rights to perform SQL injection on a WordPress site.

After discovering a vulnerability in the plugin yesterday afternoon, the WPScan Team immediately contacted the author/developer. An update to the plugin was released the very next day and after less than half an hour, the details of the vulnerability were made public.

We are not in favor of such a quick publication of vulnerability details, but we are grateful that the WPScan Team at least waited for an official response and a patch from the Yoast team.

Also see: Zend Server Z-Ray for WordPress Developers

There is a possibility that the WordPress core team will decide to perform a background update for all users of this plugin automatically. Many hosting providers have already updated all their clients to the latest version, and have checked database and web server logs for access by third parties.

If you haven’t updated WordPress SEO to version 17.9 yet, we recommend you do so immediately, especially if you have any other users registered on your site besides you.


Leave a comment

Your email address will not be published. Required fields are marked *