Popular WordPress Plugin ‘SEO by Yoast’ Vulnerable To Hackers

SMS Text
Popular WordPress Plugin ‘SEO by Yoast’ Vulnerable To Hackers

Hacker News reports that a vulnerability affecting millions of users has been found in industry leading WordPress plugin SEO by Yoast.

According to an advisory, all versions of SEO by Yoast prior to are vulnerable to Blind SQL Injection web application flaw. This is considered a critical vulnerability due to the fact that it could seriously compromise your WordPress site.

Mohit Kumar of Hacker News explains how the vulnerability works:

“Basically in SQLi attack, an attacker inserts a malformed SQL query into an application via client-side input. However, in this scenario, an outside hacker can’t trigger this vulnerability itself because the flaw actually resides in the ‘admin/class-bulk-editor-list-table.php’ file, which is authorized to be accessed by WordPress Admin, Editor or Author privileged users only.

Therefore, in order to successfully exploit this vulnerability, it is required to trigger the exploit from authorized users only. This can be achieved with the help of social engineering, where an attacker can trick authorized user to click on a specially crafted payload exploitable URL.”

Trying to simplify that, what he means is an attacker could exploit this vulnerability by tricking WordPress admins into clicking on a link which would trigger the SQLi attack.

Once the attack has been carried out, the attacker could then add their own admin account to the vulnerable WordPress site and do whatever they want with it.

A key takeaway here is the fact that everyone who has SEO by Yoast installed is not going to be automatically affected by this. The attack can only be manually triggered by a WordPress admin, editor, or author who clicks on a dangerous link created by the attacker.

In addition, this is something that can easily fixed by updating your plugin to the latest version. The Yoast team promptly patched the exploit upon being notified, and the newest version (1.7.4) is said to fix the problem. The Premium version of the plugin has also been updated.

In the future, you can have plugin updates taken care of automatically by going to the Manage > Plugins & Themes > Auto Updates tab. If you don’t have the auto-update feature turned on, it’s strongly recommended that you update the SEO by Yoast plugin on all sites where you have it installed.

Matt Southern
Matt Southern has been the lead news writer at Search Engine Journal since 2013. His passion for helping people in all aspects of online marketing... Read Full Bio
Matt Southern
Get the latest news from Search Engine Journal!
We value your privacy! See our policy here.
  • Debjit Saha

    Yoast SEO and All In One SEO are the two most popular SEO plugins for WordPress and as such the developers must ensure such things should be fixed asap or they should hire security auditors to keep things in place.

  • Brian Jackson

    Thanks for the heads up Matt! This is especially dangerous for those with multi-author blogs as the chance of something happening increases dramatically.

  • Norman

    This is serious. Huge volume of websites who uses this plugin will not be happy to know the news.

  • Leon Ridge-Cooke

    Thanks for the heads up. I can’t believe that such a high reputation plugin author can let something of this magnitude slip through.

    • Joost de Valk

      Not to downplay the issue here, but it’s not a “one click entry” security issue. You need to successfully phish a logged in user of a site before you can do anything with this. It’s still a serious issue, but (security) bugs exist, always, everywhere. It’s how you deal with them that matters.

      • Remco

        So, quite a ‘heavy’ emphasis in this article. Stating if, if, if, then, but only if… Which goes for sooooo many apps and plugins. Hello!

        So several people go all finger pointing towards what the developers have done wrong, or where they’ve been off guards. And then Yoast HIMSELF responds, within no time, on this website over here. Again: hello! 🙂 …and not a single soul ever responded to Yoast’s comment since.

        Lol. Don’t let them eat the cheese off your bread, Joost. Pardon my Dutch 😉 Hope you wisely and correctly ‘dismissed’ this article the minute you read it, and you and your team will remain of the same importance to thousands of people like me, simply by doing what you do. Sheer thanks are appropriate.

  • Reginald Chan

    Hey Matt,

    Thanks for the update. When I saw the update, I knew something was wrong. Thanks for highlighting this and appreciate it!


  • Alen John Mathew

    We are using this yoast plugin for the last 6 months and yet we havn’t received any issue. This plugin is great one. We do hope yoast team already fix this issue.

  • Ryan Scollon

    It was only the other day that I was thinking to myself would Yoast SEO ever become a vulnerability, mainly because of its popularity and the disaster it could cause if it was. I’ve been telling most of my clients for weeks to get their wordpress websites protected with wArmour but they never listened… I think they will now.

  • Vikas Singh Gusain

    Hi Matt,

    Shame, the hackers are now coming at everything and trying to ruin a great plugin. Good job on the Yoast team’s part, for a quick recovery patch update eliminating the problem. Thanks Matt for the update.

  • Matt LaClear

    If it’s accessible on the Internet, it’s susceptible to being hacked. We all accept that fact! On a note though, the integrity of the developers matters. How fast did they address the challenge and what was their follow up with those who use their product?

    With respect to developers, there should be a better way of letting its users know so that security vulnerabilities aren’t broadcast to the world. That alert may very well open the door to hackers looking for a score. Thanks for sharing the update.

  • Jason

    Thank you so much for this info. I have installed All in One SEO and SEO by Yoast to all of the wordpress sites for easy SEO and this certainly unsettled me. I have updated my plugins to their latest versions and I hope that the developers keep this tip top clean.