Last Updated on August 5, 2020
Millions of Websites Affected
If you’re a frequent reader of our blog, you probably know that the WordPress SEO by Yoast plugin is one of our favorites. When we heard about its vulnerability yesterday, we immediately updated all the websites under our control. If you’re running any version of this plugin prior to 184.108.40.206, read this post and download the latest version… now!
Vulnerable to Blind SQL Injection
This sounds scary… and it is. SQL injections (SQLi) vulnerabilities are ranked as critical; it can cause a database breach of confidential information. There are hefty fines associated with breaches, especially with regard to non-public consumer information (e.g., names, email address) and financial details.
With a blind SQL injection, a hacker can insert a “malformed SQL query” into an application via a client-side input. In other words, this means it gains access via authorized protocols by infected admin users. Want to understand all the technical details? The Hacker News recaps it nicely, giving credit to Ryan Dewhurst, developer of WPScan.
WordPress SEO by Yoast Patched
The good news is WordPress by Yoast has been updated, patching this latest vulnerability. When I choose a plugin, developer responsiveness (i.e., updates, support, change logs) is at the top of my criteria list. Yoast still has my vote, however I’m sure he’s feeling a lot of pressure at the moment. He has literally millions of websites running his plugin. This is a blow to his credibility, and WordPress users are watching. Closely.
If you disabled WordPress updates, immediately go to the plugin repository and download 1.7.4.
If you aren’t regularly updating your WordPress website (we’re currently running 4.1.1) you have even bigger issues, in my opinion. Your website is open to many other vulnerabilities. Updating WordPress SEO by Yoast is just one of your security problems. Read this article about why updating your WP installation should be an ongoing maintenance item. If you need help, just let me know.
Have you lost confidence in Yoast?
photo credit – top: Sean MacEntee