How “WordPress SEO By Yoast” Could Get Your Site Hacked [Security Alert]

If you are running your site on WordPress platform and using this [Wordpress SEO By Yoast] awesome plugin then i would advise you to first update it before further reading the article, if not already. A huge flaw was found in the plugin by a freelance security consultant Ryan Dewhurst which puts your site in danger and could even get it hacked.


You can read more about the technical aspect of the bug from WPScan Vulnerablility Database.
According to it ”

The authenticated Blind SQL Injection vulnerability can be found within the 'admin/class-bulk-editor-list-table.php' file. The orderby and order GET parameters are not sufficiently sanitised before being used within a SQL query.

In layman’s terms a malicious hacker could change your database by making an logged-in author visit a malformed URL through Social Engineering.

The severity of the bug was so huge that it made the WordPress team to force-push this update by which the plugin will be updated automatically if the auto-update feature is not turned-off. The update will be automatically rolled to you if you are,

  • running on 1.7 or higher, you’ll have been auto-updated to 1.7.4.
  • If you were running on 1.6.*, you’ll have been updated to 1.6.4.
  • If you were running on 1.5.*, you’ll have been updated to 1.5.7.

Yesterday Yoast team released a blog-post outlining the bug and what they did to patch the flaw.

So all in all if your on older version of the plugin then you must update it as soon as possible to avoid any risks of your site getting hacked or compromised.

Note: WordPress SEO By Yoast Premium users need to manually update the plugin by going to Plugins->Installed Plugins->Wordpress SEO By Yoast and clicking on ‘update plugin’.

Leave a Reply

Your email address will not be published. Required fields are marked *