A vulnerability has been discovered in WordPress SEO by Yoast. A fix was released yesterday and so was a ton of press coverage – everything from SearchEngineLand to TheHackerNews to Graham Cluley’s website to SERoundTable to ComputerWorld.
It looks like this may be the new normal we’re working with: Where vulnerability disclosure happens on the same day as a fix is released by the vendor. I’d love to hear your thoughts in the comments, whether your’e a plugin author, WordPress admin or anyone else involved or concerned about WordPress security.
What to do: Upgrade immediately to version 1.7.4 of WordPress SEO by Yoast which contains the fix.
The vulnerability is a SQL injection attack that needs admin access to be exploited. To the layman, this sounds like it’s unexploitable, but these kinds of security holes are usually exploited via a cross-site request forgery (CSRF) which tricks an admin into loading a link from their own website (where they’re logged in as admin) which then exploits the vulnerability using the admin’s privileges.
Yoast has an excellent user-friendly summary on their blog. Apparently the WordPress team put out an automatic update. Their blog also contains instructions on what to do if your’e using Yoast SEO Premium.
The post Vulnerability in WordPress SEO by Yoast – Upgrade Immediately appeared first on Wordfence Blog.
The post Vulnerability in WordPress SEO by Yoast – Upgrade Immediately appeared first on WP Security Bloggers.