A serious vulnerability has been discovered in the WordPress plugin “WordPress SEO by Yoast”.
If left unpatched, a WordPress installation utilizing version 1.7.3 or earlier (see all patched versions below) could be vulnerable to a SQL injection attack that needs author, editor, or admin access to be exploited. According to Yoast, this type of attack is most commonly carried out by tricking a user with escalated permissions into visiting a malformed URL.
A patched version of the “WordPress SEO by Yoast” plugin, ver. 1.7.4, has been released to fix this vulnerability and can be downloaded from WordPress.org.
In addition, because of the severity of the flaw, as well as the wide-spread use of this excellent SEO plugin, the team at WordPress.org pushed out a forced automatic update to patch sites with the plugin installed.
For sites that left this feature of WordPress enabled:
- If you were running WordPress SEO ver. 1.7 or higher, you’ll have been auto-updated to ver. 1.7.4.
- If you were running ver. 1.6 or higher, you’ll have been updated to ver. 1.6.4.
- If you were running ver. 1.5 or higher, you’ll have been updated to ver. 1.5.7.
If you site is utilizing WordPress SEO Premium, you should upgrade to ver. 1.5.3
For more details on the vulnerability, please visit:
WordPress SEO Security release (Yoast Blog)
Vulnerability in WordPress SEO by Yoast – Upgrade Immediately (Wordfence Blog)
Although some of the sites we manage utilize WordPress SEO by Yoast, we update plugins upon release, so NO ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have been affected by this vulnerability.