Proactive security fixes in Yoast SEO (update to v20.2.1)

We take security seriously at Yoast and continually look for potential threats and vulnerabilities that could affect our products and customers. That’s why we were alarmed when security firm WordFence found XSS vulnerabilities in another SEO plugin. After carefully reviewing the issues, we found a similar but less severe vulnerability in Yoast SEO, which we chose to patch immediately.

Please update to the latest version today to ensure your site is protected.

Am I affected?

The issue only affected websites with multiple users, where those users had ‘contributor’ level access or above. In some cases, those users could store and execute code in our snippet editor, which would have run for other users. A malicious person could have taken advantage of this to compromise other users or the website in question. This is a type of ‘XSS’ attack.

In short, some of the people you’d given limited permission to publish or edit content on your site might have been able to work around those permissions and do harm should they have wished to.

What’s an XSS vulnerability?

XSS stands for cross-site scripting, a type of attack that allows malicious actors to inject scripts into web pages viewed by other users. An issue like this can lead to various consequences, such as hijacking user sessions, defacing websites, or redirecting users to malicious sites.

XSS vulnerabilities occur when user input fields are not properly sanitized (ensuring that values are safe and conform to expected formats and patterns) or not properly escaped (where special characters or code is safely converted to text).

What do I need to do?

If your site has multiple users, you may have been affected. If this applies to you, you should update your Yoast SEO plugin immediately. We also recommend conducting a security audit (see our security guide), enabling auto-updates for plugins, and ensuring that you have regular backups in place.

If your site doesn’t have multiple users, you don’t need to worry. Of course, you should still update your plugin as part of best practices.

What did Yoast do?

We’re proud that we reacted quickly, fixed this issue, and released a patch within 24 hours. We also thoroughly reviewed parts of Yoast SEO and found no other security issues present. Thanks to this fix, Yoast SEO is now more secure than ever. Our development processes now include extra checks to ensure that issues like this don’t happen again.

We can proudly say that our ability to react, diagnose, and deliver updates this quickly – whether they’re security fixes or responses to changes in Google’s algorithm — sets us apart from others.

It takes a village

While this issue should have never happened in the first place, we’re happy that we discovered it ourselves before it became common knowledge and a larger risk.

That was made possible partly by the great work from WordFence in disclosing the related issue in another plugin and by Roger Montti’s article in Search Engine Journal covering the leak. We appreciate their professionalism and expertise in helping WordPress plugin developers improve their security.

We also want to thank our customers for their trust and support. At Yoast, we’re committed to providing you with the best SEO plugins and will continue to improve them.

If you have any questions or concerns about this issue or any other security matter, please do not hesitate to contact us at security@yoast.com. You can also participate in our security program to help us improve our work.

Thanks for your understanding, and keep in mind that we are always here to help.

Coming up next!


2 Responses to Proactive security fixes in Yoast SEO (update to v20.2.1)

  1. Curt Crowley
    Curt Crowley  • 1 year ago

    Great job on responding quickly and proactively addressing the XSS vulnerability in the Yoast SEO plugin. It’s reassuring to see your commitment to security and improving your products.
    Thanks Again
    Curt

    • Camille Cunningham
      Camille Cunningham  • 1 year ago

      Thank you, Curt! That’s good to hear :)