WordPress SEO by Yoast – Plugin Vulnerable To HackersPosted by Nitin Jain / March 16th, 2015 / No responses
“WordPress-SEO by Yoast”, used by almost 14 million WordPress websites, has been reported to have a critical vulnerability that puts the website at risk of being hacked. An hacker, if added onto the website as an Admin/Edior/Author gets ability to execute arbitrary SQL queries on your website.
Immediate Upgrade Advised-
If you have a website on WordPress and are using the Yoast plugin then in order to protect yourself from this critical vunerability, you are advised to upgrade to version 1.7.4 immediately.
The version 1.7.4 says-
Security fix: fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor. Added strict sanitation to order_by and order params. Added extra nonce checks on requests sending additional parameters. Minimal capability needed to access the bulk editor is now Editor. Thanks Ryan Dewhurst from WPScan for discovering and responsibly disclosing this issue.
Updating Yoast WordPress SEO Plugin-
For updating to WordPress-SEO 1.7.4 in WordPress 3.7 version and above-
Login to WordPress Dashboard
Go to Manage> Plugin and Themes> Auto Updates Tab
You can also manually download the latest version of this plugin files from WordPress plugins repository (https://wordpress.org/plugins/wordpress-seo/).
Yoast has also announced that the WordPress team has automatically pushed an update to WordPress installs that run an older version of WordPress-SEO plugin, but still you are advised to check version of this plugin on your website and update it as soon as possible in case it is less then 1.7.4.