The major exploit has been discovered in the extremely popular SEO WordPress plugin, WordPress SEO by Yoast. All WordPress blogs that are currently using this SEO plug-in need to upgrade to the latest version.

This exploit means that blogs using WordPress and this plugin are vulnerable to a Blind SQL Injection. This particular exploit requires a user be logged in, however since other exploits can make sites vulnerable to a rogue user gaining Admin, Editor or Author privileges, as well as the potential for phishing to gain login access, means that users of this plugin should update it immediately.

Are you affected? All versions of WordPress for SEO by Yoast prior to version 1.7.3.3 are vulnerable to this exploit. The updated version 1.7.4 was released today, March 11^, 2015 which fixes the issue.

Security fix: fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor. Added strict sanitation to order_by and order params. Added extra nonce checks on requests sending additional parameters. Minimal capability needed to access the bulk editor is now Editor. Thanks Ryan Dewhurst from WPScan for discovering and responsibly disclosing this issue.

There are no signs this exploit has been used to exploit websites using this plugin, however now that the information on the vulnerability is released, it is only a matter of time before hackers begin to try and take advantage of those using this plugin that have not updated it recently.

Users who use an auto-update feature for WordPress plugins should check that it has been updated to version 1.7.4, or update it manually to do so.

WordPress SEO by Yoast is one of the most popular SEO plugins with over one million active installs, and almost half of all WordPress sites one of the three most popular SEO plugins.  And with Google now flagging sites that have been exploited through vulnerable WordPress plugins, it is worth updating immedaitely.

Added: If you have auto-updates enabled, WordPress.org has pushed an auto-update due to the severity of the issue.

Forced automatic update

Because of the severity of the issue, the WordPress.org team put out a forced automatic update (thanks!). If you didn’t specifically disable those and you were:

• running on 1.7 or higher, you’ll have been auto-updated to 1.7.4.
• If you were running on 1.6.*, you’ll have been updated to 1.6.4.
• If you were running on 1.5.*, you’ll have been updated to 1.5.7.

If you are on an older version, we can’t auto-update you, but you should really update for tons of reasons. Of course you should really move to 1.7.4 as soon as you can anyway.