Blind SQL Injection Vulnerability Discovered in WordPress SEO Plugin by Yoast: Immediate Update Recommended

yoast

A blind SQL injection vulnerability was discovered today in the popular WordPress SEO plugin by Yoast. WPScanVulnerability Database issued an advisory after responsibly disclosing the vulnerability to the plugin’s author:

The latest version at the time of writing (1.7.3.3) has been found to be affected by two authenticated (admin, editor or author user) Blind SQL Injection vulnerabilities.

The authenticated Blind SQL Injection vulnerability can be found within the ‘admin/class-bulk-editor-list-table.php’ file. The orderby and order GET parameters are not sufficiently sanitized before being used within a SQL query.

Yoast was quick to respond with a patch and released version 1.7.4 with the following security fix:

Fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor. Added strict sanitation to order_by and order params. Added extra nonce checks on requests sending additional parameters. Minimal capability needed to access the bulk editor is now Editor. Thanks Ryan Dewhurst from WPScan for discovering and responsibly disclosing this issue.

Immediate Update Advised

Users running the most recent version are advised to update immediately. If you’re using Jetpack on all your sites, you can quickly update them by visiting: https://wordpress.com/plugins/wordpress-seo. There you will see all the sites where you have the plugin installed and can update from your centralized dashboard.

Hosting companies are scrambling to add a fix to protect customers. The Pressable status blog sent out an advisory on the vulnerability and is immediately updating installations where the plugin is active:

Our systems have already begun updating this plugin across all impacted sites on our systems, and we expect this process to be completed shortly.

SiteGround has added a temporary fix to tide customers over in the meantime before they have the chance to update. The company added new security rules to its WAF (web application firewall), which will actively filter any possible incoming hacking attempts that try to exploit the vulnerability.

WordPress SEO by Yoast is active on more than one million websites. While many hosts are being proactive about getting plugin updates to customers, most of the plugin’s users will not be able to rely on their host to take care of the update. Keeping your site safe from the vulnerability is as easy as logging in and updating to the latest version.

Update Joost de Valk published an update discussing the vulnerabilities and what is fixed.

46 Comments


  1. I am a tad confused as my site says I am running WordPress SEO Premium v1.5.3 and I just updated to the latest version. Is this only affecting the free version on WordPress and not the paid for version. The free version is at 1.7.4

    Report


    1. What features of Premium are you using? v1.5.3 seems to be a year out of date.

      Report


      1. The version numbers for our Premium and Free plugin are not currently the same, unfortunately, we’re fixing that soon. But it’s not out of date, we have also updated Premium, 1.5.3 is patched and safe.

        Report


      2. Hello Joost. I learnt that last night. I must admit, it surprised me that you didn’t send an email out regarding this, or is there something I need to subscribe to on your site? I get your newsletters but I don’t seem to be able to find where I can subscribe to such important information as this.

        Report


      3. We *did* cover it in our newsletter today. Might be that that takes a while to get to you though, we send our newsletter to 150,000+ people so it’s a staggered send.

        Report


  2. Just says SEO premium and for $300 I am hoping that the update I was just notified of in the dashboard is more recent than 1 year old. Only subscribed maybe 5 months or so.

    Report


    1. not sure if this is trolling or just lack of knowledge. The number of plugins has no correlation to security risk. Usually the major factor is complexity which is usually manifested in the number of lines of code (which is very not reliable way to estimate this kind of things, but probably the best there is).

      Report


  3. So far I’ve seen that the hosting companies my clients use have automatically updated this for us. Saves me a lot of pain!

    Report


  4. Hi

    Thanks for letting us know…. but i had some weird experience. I have auto update disabled in the wp-config.php and no jetpack or plugin installed to update plugins automatically. But guess what the plugin was already updated to version 1.7.4.

    I want to know what initiated that auto update as i dont want anything auto updating in my website. WordPress should never oull this on any website if it is disabled.

    Anybody else having this experience?

    Report


      1. I had it disabled and i dont want wordpress to go over that. No matter what reason they might have they should have stayed out of my install.

        If this ever gets hacked they can insert anything into your website. This is utterly absurd.

        Report


      2. Moreover i did not have the version running that was vulnerable…. Now i am stuck with the 1.7.4 version.

        Report


      3. You “did not have the version running that was vulnerable”: that’s impossible. Every version of 1.5 and up was vulnerable, and if you were below that you weren’t updated.

        Report


      4. Actually, your site has already been hacked. By WordPress.

        Report


      5. I’m sure they’ll apologise soon. It’s a pretty big screw up and will certainly break trust with dot org, but at least they were trying to do it for good reasons.

        I have everything set to auto-update anyway and when I don’t, I block file modifications, but others don’t do that and I can understand them being justifiably ticked off about the situation.

        Report


      6. Not a chance that they’ll apologize. This is something you’ll see happen more often for security updates. It was widely published when it happened with Jetpack a while back, so I’m surprised you didn’t know about the option…

        Report


      7. Joost i had not the version running with the vulnerabilitty and most certainly i dont want wordpress to update their or your stuff automatcally. Its my website and not theirs. It is my responsibillity and not yours or your plugin.

        If you have the front door of your house closed what would you say if i suddenly stood in your living room? “Get the hell out !!” i guess. And that is exactly what wordpress should do. regardless what they widely published or not.

        Report


      8. As I said above: if you were on 1.5+ you were vulnerable. If you weren’t, you were not auto updated. So I’m sorry but that’s just not true.

        You might not like auto updates, disable them if you must, as a plugin author, it helps me sleep better.

        Report


  5. I had auto Updates Disabled. And still it installed. That is the whole point.

    Report


      1. define( ‘WP_AUTO_UPDATE_CORE’, false );
        define( ‘AUTOMATIC_UPDATER_DISABLED’, true );

        Report


  6. Joost should of ASKED us and let us do the updates. Forcing an update is like violating our websites. If there is this window for updates, what if it gets hacked and hacker inserts stuff into our websites?

    Report


  7. If I have free plugin Seo Yoast between 1.5 and 1.7.3.3 version, I do not need to update? This is important, because if you have many sites with version of WP under 3.9, these sites can not be updated to the latest version of the plugin…

    Report


    1. Hi

      I think you need to update or use another seo plugin like the all in one seo plugin as the issue in the yoast plugin exists as he stated himselve since version 1.5+ of the wordpress seo plugin which was released march 2014. That is how long this vulnerability exists already and we have been at risk of getting sql code injected into our websites.

      Report


      1. Thanks! And If I have free plugin Seo Yoast under 1.5 version, I do not need to update? I regret the insistence, but it is very important to know exactly..

        Report


      2. Hi Fran,

        I think that answer has to come from Yoast himself but if i read his previous replies correctly the answer to that would be yes. But you cant be sure about that without him confirming this.

        Report


      3. Fran Yoast wrote this above

        “You “did not have the version running that was vulnerable”: that’s impossible. Every version of 1.5 and up was vulnerable, and if you were below that you weren’t updated.”

        Report


      1. As Fran stated “This is important, because if you have many sites with version of WP under 3.9, these sites can not be updated to the latest version of the plugin…”

        He must have a reason to keep on running on 3.9 as apparently something he is running is not updated to run on the latest wp i guess.

        Report


      2. That’s it. I can not run some themes in last version of WP. For example, I am running some themes on 3.8 version of WP, but I can not update WP because then Theme will crash, and I will have to remake the web (and this thing for many sites is impossible..).

        Report


      3. Yes Peter, I have outdated WP and I can not update. Then, if Yoast doesn’t support version of WP like 3.8, 3.7, 3.6 etc… I can not update plugin Seo Yoast… And the only plugin I have found about export Seo Yoast to All in one Seo plugin dosen’t work very well (SEO Data Transporter)… I am lost… (And I think I am not the only one..)

        Report


  8. Thank you WordPress core team for pushing the fix.

    I logged into my site yesterday and did not see any plugin updates pending. I checked WordPress SEO and it was on the latest version. I was a bit bewildered. Then I read about the pushed update by the WordPress core team. I was surprised but not angry. A notice on the dashboard when I logged in would have been nice so that I knew that it had been updated and how.

    I’m fine that the plugin was updated automatically. I realize that with pushed updates there is the potential that a mistake or incompatibility is introduced, but when millions of website are vulnerable then the actual live threat seems to out-weigh the small possible risk.

    Report


  9. I have already updated the Yoast SEO plugin on all my WordPress. Thanks for keeping the users updated about this vulnerability.

    Report


  10. Looks like WPTavern this time is a bit late with the newsL

    A security flaw in the popular WordPress plugin Google Analytics by Yoast allows hackers to execute arbitrary code and take over administrator accounts.

    Revealed on Thursday by Finnish security researcher Jouko Pynnonen on Full Disclosure, the plugin’s security issue allows an unauthenticated attacker to store arbitrary HTML, including JavaScript, in the WordPress administrator’s Dashboard on the target system — and which is triggered when an admin views the plugin’s settings panel.

    Report


  11. Thankfully WordPress SEO 2.0 has now been released by Yoast :)

    Get upgrading, folks!

    Report


  12. Good and fast response. Nice already a great new version has been released. WordPress SEO rocks!

    Report


  13. Immediately updated mine after finding out about this. Hope everybody got theirs updated right away. I commend the Yoast SEO plugin team for the quick response.

    Report

Comments are closed.