Popular WordPress SEO Plugin Vulnerable to Injection Attacks

Yoast LogoSEO by Yoast, a popular WordPress plugin used by many podcasters was found to have a bug that left the software vulnerable to SQL injection attacks. If the exploit were executed, an attacker would be able to take over an entire WordPress installation. From the Threatpost article linked above:

Vulnerable versions of the service are susceptible to arbitrarily executed SQL queries, in part because it lacks proper cross-site request forgery protections. If the attacker were able to trick an authenticated administrator, editor or author into following a link to a malicious page, the attacker could then create an admin role for himself and totally compromise affected sites.

While it’s impossible to know how many WordPress sites are running the infected plugin, the SEO by Yoast page on the WordPress plugin directory shows that the software is currently actively installed on over one million sites. In order to fix the vulnerability on your own WordPress site, ensure that you’re running version 1.74, which is the latest version of the Yoast plugin. (If you’re running an older version of the plugin, the WordPress dashboard should notify you of an available update the next time you log in.)

And regardless of which plugins you use, it’s always important to make sure all of them (as well as your core WordPress files) are always kept up to date. It’s the best way to safeguard your site against these kinds of issues.