Blind SQL Injection Vulnerability Discovered in WordPress SEO Plugin by Yoast: Immediate Update Recommended


A blind SQL injection vulnerability was discovered today in the popular WordPress SEO plugin by Yoast. WPScanVulnerability Database issued an advisory after responsibly disclosing the vulnerability to the plugin’s author:

The latest version at the time of writing ( has been found to be affected by two authenticated (admin, editor or author user) Blind SQL Injection vulnerabilities.

The authenticated Blind SQL Injection vulnerability can be found within the ‘admin/class-bulk-editor-list-table.php’ file. The orderby and order GET parameters are not sufficiently sanitized before being used within a SQL query.

Yoast was quick to respond with a patch and released version 1.7.4 with the following security fix:

Fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor. Added strict sanitation to order_by and order params. Added extra nonce checks on requests sending additional parameters. Minimal capability needed to access the bulk editor is now Editor. Thanks Ryan Dewhurst from WPScan for discovering and responsibly disclosing this issue.

Immediate Update Advised

Users running the most recent version are advised to update immediately. If you’re using Jetpack on all your sites, you can quickly update them by visiting: There you will see all the sites where you have the plugin installed and can update from your centralized dashboard.

Hosting companies are scrambling to add a fix to protect customers. The Pressable status blog sent out an advisory on the vulnerability and is immediately updating installations where the plugin is active:

Our systems have already begun updating this plugin across all impacted sites on our systems, and we expect this process to be completed shortly.

SiteGround has added a temporary fix to tide customers over in the meantime before they have the chance to update. The company added new security rules to its WAF (web application firewall), which will actively filter any possible incoming hacking attempts that try to exploit the vulnerability.

WordPress SEO by Yoast is active on more than one million websites. While many hosts are being proactive about getting plugin updates to customers, most of the plugin’s users will not be able to rely on their host to take care of the update. Keeping your site safe from the vulnerability is as easy as logging in and updating to the latest version.

Update Joost de Valk published an update discussing the vulnerabilities and what is fixed.


46 responses to “Blind SQL Injection Vulnerability Discovered in WordPress SEO Plugin by Yoast: Immediate Update Recommended”

  1. I am a tad confused as my site says I am running WordPress SEO Premium v1.5.3 and I just updated to the latest version. Is this only affecting the free version on WordPress and not the paid for version. The free version is at 1.7.4

    • not sure if this is trolling or just lack of knowledge. The number of plugins has no correlation to security risk. Usually the major factor is complexity which is usually manifested in the number of lines of code (which is very not reliable way to estimate this kind of things, but probably the best there is).

  2. Hi

    Thanks for letting us know…. but i had some weird experience. I have auto update disabled in the wp-config.php and no jetpack or plugin installed to update plugins automatically. But guess what the plugin was already updated to version 1.7.4.

    I want to know what initiated that auto update as i dont want anything auto updating in my website. WordPress should never oull this on any website if it is disabled.

    Anybody else having this experience?

  3. If I have free plugin Seo Yoast between 1.5 and version, I do not need to update? This is important, because if you have many sites with version of WP under 3.9, these sites can not be updated to the latest version of the plugin…

  4. Thank you WordPress core team for pushing the fix.

    I logged into my site yesterday and did not see any plugin updates pending. I checked WordPress SEO and it was on the latest version. I was a bit bewildered. Then I read about the pushed update by the WordPress core team. I was surprised but not angry. A notice on the dashboard when I logged in would have been nice so that I knew that it had been updated and how.

    I’m fine that the plugin was updated automatically. I realize that with pushed updates there is the potential that a mistake or incompatibility is introduced, but when millions of website are vulnerable then the actual live threat seems to out-weigh the small possible risk.

  5. Looks like WPTavern this time is a bit late with the newsL

    A security flaw in the popular WordPress plugin Google Analytics by Yoast allows hackers to execute arbitrary code and take over administrator accounts.

    Revealed on Thursday by Finnish security researcher Jouko Pynnonen on Full Disclosure, the plugin’s security issue allows an unauthenticated attacker to store arbitrary HTML, including JavaScript, in the WordPress administrator’s Dashboard on the target system — and which is triggered when an admin views the plugin’s settings panel.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: