• About Us
  • Contributors
  • Guides
  • Speaking Engagements
  • Write for The SEM Post
  • Submit a tip or contact us!
  • Newsletters

The SEM Post

Latest News About SEO, SEM, PPC & Search Engines

  • Google
  • SEO
  • Mobile
  • Local
  • Bing
  • Pay Per Click
  • Facebook
  • Twitter
  • State of the Industry
You are here: Home / SEO / Major WordPress Exploit Affecting Sites using Wordpress SEO by Yoast

Major WordPress Exploit Affecting Sites using WordPress SEO by Yoast

March 11, 2015 at 12:52 pm PST By Jennifer Slegg

  • Facebook
  • Twitter
  • Google+
  • Pinterest
  • LinkedIn
  • Email
  • WhatsApp
  • Evernote
  • SMS

yoastseopluginThe major exploit has been discovered in the extremely popular SEO WordPress plugin, WordPress SEO by Yoast. All WordPress blogs that are currently using this SEO plug-in need to upgrade to the latest version.

This exploit means that blogs using WordPress and this plugin are vulnerable to a Blind SQL Injection. This particular exploit requires a user be logged in, however since other exploits can make sites vulnerable to a rogue user gaining Admin, Editor or Author privileges, as well as the potential for phishing to gain login access, means that users of this plugin should update it immediately.

Are you affected? All versions of WordPress for SEO by Yoast prior to version 1.7.3.3 are vulnerable to this exploit. The updated version 1.7.4 was released today, March 11, 2015 which fixes the issue.

Security fix: fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor. Added strict sanitation to order_by and order params. Added extra nonce checks on requests sending additional parameters. Minimal capability needed to access the bulk editor is now Editor. Thanks Ryan Dewhurst from WPScan for discovering and responsibly disclosing this issue.

There are no signs this exploit has been used to exploit websites using this plugin, however now that the information on the vulnerability is released, it is only a matter of time before hackers begin to try and take advantage of those using this plugin that have not updated it recently.

Users who use an auto-update feature for WordPress plugins should check that it has been updated to version 1.7.4, or update it manually to do so.

WordPress SEO by Yoast is one of the most popular SEO plugins with over one million active installs, and almost half of all WordPress sites one of the three most popular SEO plugins.  And with Google now flagging sites that have been exploited through vulnerable WordPress plugins, it is worth updating immedaitely.

Added: If you have auto-updates enabled, WordPress.org has pushed an auto-update due to the severity of the issue.

Forced automatic update

Because of the severity of the issue, the WordPress.org team put out a forced automatic update (thanks!). If you didn’t specifically disable those and you were:

  • running on 1.7 or higher, you’ll have been auto-updated to 1.7.4.
  • If you were running on 1.6.*, you’ll have been updated to 1.6.4.
  • If you were running on 1.5.*, you’ll have been updated to 1.5.7.

If you are on an older version, we can’t auto-update you, but you should really update for tons of reasons. Of course you should really move to 1.7.4 as soon as you can anyway.

  • Facebook
  • Twitter
  • Google+
  • Pinterest
  • LinkedIn
  • Email
  • WhatsApp
  • Evernote
  • SMS
The following two tabs change content below.
  • Bio
  • Latest Posts
My Twitter profileMy Facebook profileMy Google+ profileMy LinkedIn profile

Jennifer Slegg

Founder & Editor at The SEM Post
Jennifer Slegg is a longtime speaker and expert in search engine marketing, working in the industry for almost 20 years. When she isn't sitting at her desk writing and working, she can be found grabbing a latte at her local Starbucks or planning her next trip to Disneyland. She regularly speaks at Pubcon, SMX, State of Search, Brighton SEO and more, and has been presenting at conferences for over a decade.
My Twitter profileMy Facebook profileMy Google+ profileMy LinkedIn profile

Latest posts by Jennifer Slegg (see all)

  • Google Quality Rater Guidelines: The Low Quality 2021 Update - October 19, 2021
  • Rethinking Affiliate Sites With Google’s Product Review Update - April 23, 2021
  • New Google Quality Rater Guidelines, Update Adds Emphasis on Needs Met - October 16, 2020
  • Google Updates Experiment Statistics for Quality Raters - October 6, 2020
  • Analyzing “How Google Search Works” Changes from Google - July 8, 2020

Filed Under: SEO, Tools, Wordpress

Sign up for our newsletter


Trackbacks

  1. Major WordPress Exploit Affecting Sites with Shareaholic Social Media Sharing Plugin - The SEM Post says:
    March 20, 2015 at 5:16 am

    […] discovered recently in several popular WordPress plugins over the last few months, including SEO by Yoast, Fancybox-for-Wordpress and Revslider Premium Plugin. It is worth reminding those that use […]

  2. Exploit Discovered in Google Analytics by Yoast Wordpress Plugin - The SEM Post says:
    March 23, 2015 at 4:33 am

    […] with the other recent Yoast plugin to be affected by an exploit – SEO by Yoast – they fixed the vulnerability within one day of it being responsibly […]

  3. WP Super Cache Latest Plugin With Major XXS Exploit, Requires Immediate Update - The SEM Post says:
    April 8, 2015 at 3:20 am

    […] popular with the SEO community to have a discovered exploit patched.  Google Analytics by Yoast, WordPress SEO by Yoast, Shareaholic, RevSlider and Fancybox-for-Wordpress have all recently fixed exploits, so you should […]

Founder & Editor

Jennifer Slegg (2051)

Sign up for our daily news recap & weekly newsletter.


Follow us online

  • Facebook
  • Google+
  • Linkedin
  • Pinterest
  • Twitter

Latest News

Google Quality Rater Guidelines: The Low Quality 2021 Update

Google has released a new version of the Google quality rater guidelines, a year after the last … [Read More...]

Recent Posts

  • Google Quality Rater Guidelines: The Low Quality 2021 Update
  • Rethinking Affiliate Sites With Google’s Product Review Update
  • New Google Quality Rater Guidelines, Update Adds Emphasis on Needs Met
  • Google Updates Experiment Statistics for Quality Raters
  • Analyzing “How Google Search Works” Changes from Google
  • Google Quality Rater Guidelines Update: New Introduction, Rater Bias & Political Affiliations
  • Google Updates Quality Rater Guidelines: Reputation for News Sites; Video Content Updates; Quality for Information Sites
  • Google Makes Major Changes to NoFollow, Adds Sponsored & UGC Tags
  • Google Updates Quality Rater Guidelines Targeting E-A-T, Page Quality & Interstitials
  • Google Local Service Ads Display Pricing Estimates for Specific Locations

Categories

  • Affiliate Marketing
  • Amazon
  • Apple
  • Bing
  • Branding
  • Browsers
  • Chrome
  • Content Marketing
  • Design
  • Domains
  • DuckDuckGo
  • Email
  • Facebook
  • Firefox
  • Foursquare
  • Google
    • Analytics
    • Google RankBrain
    • Quality Rater's Guidelines
  • History of Search
  • Industry Spotlight
  • Instagram
  • Internet Explorer
  • Links
  • Local
  • Mobile
  • Native Advertising
  • Other Search Engines
  • Pay Per Click
  • Pinterest
  • Publishers
  • Security
  • SEO
  • Snapchat
  • Social Media
  • State of the Industry
  • The SEM Post
  • Tools
  • Twitter
  • Uncategorized
  • User Experience
  • Video Marketing
  • Week in Review
  • Whitepapers
  • Wordpress
  • Yahoo
  • Yelp
  • YouTube
May 2022
MTWTFSS
« Oct  
 1
2345678
9101112131415
16171819202122
23242526272829
3031 

Meta

  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.org

Copyright © 2022 · News Pro Theme On Genesis Framework · WordPress · Log in