Skip to content

WordPress SEO Security release

Joost de Valk 11 March 2015 93

This morning we released an update to our WordPress SEO plugin (both free and premium) that fixes a security issue. A bit more details follow below, but the short version of this post is simple: update. Now. Although you might find your WordPress install has already updated for you.

What did we fix?

We fixed a CSRF issue that allowed blind SQL injection. The one sentence explanation for the not so technical: by having a logged-in author, editor or admin visit a malformed URL a malicious hacker could change your database. While this does not allow mass hacking of installs using this hole, it does allow direct targeting of a user on a website. This is a serious issue, which is why we immediately set to work to fix it when we were notified of the issue.

Why we didn’t catch it? Well… Long story. It should have been caught in one of our regular security reviews. The values were escaped using esc_sql, which one would expect would prevent SQL injection. It does not. You’ll need far stricter sanitization. Not an excuse but it’s a good lesson to learn for other developers.

Responsible disclosure

We were notified of this issue by Ryan Dewhurst of the WPScan team, who waited for us to release an update before publishing his find to the public, for which we thank him! This type of responsible disclosure is what keeps us all safe, but it only does so if you update.

Forced automatic update

Because of the severity of the issue, the WordPress.org team put out a forced automatic update (thanks!). If you didn’t specifically disable those and you were:

  • running on 1.7 or higher, you’ll have been auto-updated to 1.7.4.
  • If you were running on 1.6.*, you’ll have been updated to 1.6.4.
  • If you were running on 1.5.*, you’ll have been updated to 1.5.7.

If you are on an older version, we can’t auto-update you, but you should really update for tons of reasons. Of course you should really move to 1.7.4 as soon as you can anyway.

Note: If you’re using WordPress SEO Premium, you should immediately update to version 1.5.3. You can find the how-to in our knowledge base.

Avatar of Joost de Valk
Joost de Valk

Joost is an internet entrepreneur and the founder of Yoast. He has a long history in WordPress and digital marketing. On our blog, he has written a lot about SEO in general, technical SEO and important topics related to SEO.

Discussion (93)

  • yeah, have encountered the plugin deactivating itself on MULTIPLE sites over the last week…this is definitely an issue

  • looks like you didn’t like my other email address as my previous reply looks like it went through.. here is my issue:

    i recently took over a site that is using thyis plugin version 1.5.2.6 and when i upgrade to 1.7.4, the site breaks.. all of the pages give a ‘not found’ and i’m not sure why. i don’t think the previous person did any custom coding as they weren’t technical enough but they did update a lot of the settings for this plugin. is there something i can look at that makes this happen that maybe someone else encountered?

  • Thanks for the update of my favorite SEO plugin ;-)

  • Some of my clients websites were having issues after the update but was a easy fix and up and running now.

  • Love the plugin but I’ve had to disable WordPress SEO (1.7.4) as it doesn’t work with my WordPress 4.1.1 running the Radius theme – happy to pay for the premium version, but need assurances it will work first!

  • Thanks for getting this sorted guys, I better crack on and get 30 or so sites updated.

  • It’s nice to see such a great plugin actively maintained. When i first heard about this security patch it was from another sources. Yet my dashboard was saying there are no updates available.
    Later i saw it was done automatically .

    Thank you for your work

  • Hi, I tried to update from 1.7.1 for a client but was not able to. What might be the reason for that? Thx for your help!

  • Thanks!
    Update successfull, two older Versions I updated via FTP.

  • Hi,

    I have WordPress SEO on version 1.5.3 and it doesn’t give me the option to update. Also when I go to Plugins and search to download a newer version the option isn’t there.

    How do i get to 1.7.4?
    Thanks

  • Hi Joost de Valk,

    I am using this plugin for the seo, but thank you for this update, now my blog is secure :)

  • My version hasn’t auto updated (currently 1.7.1) yet.
    If I just download and do a manual update, is that ok? Will I keep all my settings from the current version? Should I deactivate 1.7.1 first or just install 1.7.4? Thanks

  • Is there already any news on what to with affected sites, we had a massive break in on three sites on the same shared hosting on the 11th at around midnight (the plugin was at that time not updated), malicious files were uploaded, unknown admins registered and tons of posts inserted directly through SQL.

    After following whatever I could find it seems I have managed to banish the unauthorized access yet the posts like this one:

    http://mosaic-stone.com/1080p-the-judge-ita/

    are still there, WordPress does say that there is 29000+ posts, yet I cannot see them. I haven’t found any literature on systems affected by this bug yet and was wondering if anyone would know what to do.

    Actually the websites don’t contain any posts posted by me so if there is an SQL trick to simply delete all of them this would probably suffice.

  • thanks for the quick fix we love this plugin

  • Hey Can I use this Plugin In My Blogger Blog ? Please Reply as soon as possible..

  • Hi Yoast,

    Just to corroborate on what Apoorv Agrawal said on sitemap issue.
    I’m having the same problem, my sitemap page is showing 404 error page.

    Thanks

  • Well hello yoast I don’t know since how long this issue was up but one thing that I’m certainly getting issue with is site map site map is not getting generated rather it’s talking it to 404 pages! Hope to get a solution!

  • Thanks for the quick fix and communicating to us officially about this issue.

  • Currently using free version and giving so impressive results..will be going for Premium version very soon for more features..

  • Just made the update for the plugin. It’s working fine now and there’s no error for my blog at all.

  • Thanks for the quick fix. SEO Yoast in the best SEO plugin :)

  • Just few days ago, I activated the automatic plugin update feature in my WordPress, and now I can thanks to the option for securing my websites while I was enjoying my sleep.

    I received couple of messages from friends about the security breach, and vulnerability. I took sometime to manually check each and every installation of my WordPress that runs SEO Yoast plugin.

  • My site’s plugin was also deactivated. If Yoast didn’t do this, I wonder who / what deactivated the plugin on so many of our websites.

  • Thanks for automatically fixing the plugin…

  • Hi

    I´ve 2 websites they have ver 1.4 and didn´t update automatically, so I´ve to upload the latest version manualy, right? Is there the possiblity of loosing my custom Title and Meta Tags?

  • Hi,

    Thank you for the update. Most appreciated here.

    Thanks God. I updated the plugin on the right time.

    Keep it up.

    Regards,
    Omar

  • So what happen to the websites already attacked? I can see spam links on the top of my page?
    I discover this issue few weeks a go and we thought its from Contact form 7. Never guess its from yoast.
    Thanks
    Don

  • Thanks for the update Joost de Valk. I have updated plugin just now!

  • @ambrosite asked what the fix was but no answer.
    It looks like WPSEO_Utils::filter_input() is called, which calls filter_input(). As FILTER_DEFAULT is filter used (without any flags) and PHP docs says: “This will result in no filtering taking place by default.”, how does this fix the issue?

  • Hi

    ive just looked through Yoast WP SEO plugin interface for a clients install and cant see version number reference anywhere, only ref is to verison 4 which i presume must be WP not Yoast , where do we look to check version number ?

    thanks
    dan

  • I have to say, “one would expect this would prevent an SQL injection” is somewhat rude.
    I write code that is used by almost nobody, and I take the time – my own time – to read the documentation of every single function I call.
    I don’t want to diminish your character or the nature of your contributions to the Internet and to WordPress as a whole, but this is a very flagrant piece of damage control. I’m compelled to call it out, I was recommending Yoast to my employer just this morning and I am quite embarssed. I really do regret it, now. Sorry, Joost but… they run a serious business and will be targeted.

    Shame.

  • Great to hear that you updated the plugin as soon as an issue was found, even such a small one. Thanks again for the great plugin, love it!

  • Never a good thing to happen but the fast update is much appreciated as always.

  • Hello, I have version 1.5.6 of yoast seo plugin but I don’t see the update available on the plugins administrator.

    How can I manually update the plugin?

    Thanks.

  • Oh, No ! I was very worried about the malware attack ! But, finally i fixed after learning from one of my Facebook friends status !

    Thanks for update !

  • My earlier post of one minute ago had been stripped of my quote from Silver Fox

    Version 1.7.4 is definitely safe, as it is the latest version…

  • I have Version 4.1.1 yet the security release refers to

    (Thanks Silver Fox)
    I cannot make these ‘facts’ jibe.
    What should I know to understand? Is the security issue relevant to me?

  • Just got an iThemes ‘file change warning’ that over a hundred files just got changed on my site, I panicked searched and found this release writeup. I just love it when WordPress can take charge and auto update! Thanks for the uber-quick response Yoost! Cheers

  • This article needs a response from the man himself;
    http://www.searchenginejournal.com/popular-wordpress-plugin-seo-by-yoast-vulnerable-to-hackers/128040/
    I think this was patched as soon as it was found, and to be fair SQL injections can happen to anything anywhere.

  • I noticed that the forced automatic update has deactivated the plugin on every install that I’ve seen so far, about 10 at this point. Obviously, the security fix was a must and if this is the price of being secure, then so be it. But, fair warning to all, if you have clients that had this plugin installed on a site that you handed over, you may be getting a call at some point in the future if their indexing starts to look off and they don’t know about this.

  • Appreciate the fast turnaround in fixing the security hole.

    My premium plugin license expired two weeks ago so I can’t update. I obviously don’t want a security issue with plugin but can’t purchase a license update right now. Is there a way I can patch this myself?

  • Hello Joost!

    Thank you for the plugin update! I already had updated it the other day.

    ~ Adeel Sami

  • Thanks for the heads up. All our sites were auto updated and see fine.
    Keep up the good work.
    Alastair

  • Thanks for the update on the update. My sites all check out fine! Wish I could see you for the conference!

  • Joost, can we get more technical details on what exactly you had to do to fix this security issue? It is rather worrying to hear that you needed “far stricter sanitization” than esc_sql, since that function ultimately just calls mysql_real_escape_string (as does wpdb::prepare), which has been the standard security advice for years. In fact the data validation page in the WordPress Codex still recommends the use of those functions:
    http://codex.wordpress.org/Data_Validation

  • Hey, this fix broke my website. The following PHP code I have in the head of my WordPress breaks the site:

    $object = new WPSEO_Frontend();
    if( $object ){
    echo $object->metadesc( false );
    } else{
    echo “Sample Text”;
    }

    I have since removed it. Would anyone happen to know what the new code should be? Basically it should pull in the meta description (From the plugin) IF the user has entered it in the WordPress CMS, otherwise echo “Sample Text”.

    Thank you!

  • Great update as its now broken the site! :(

    PHP Fatal error: Class ‘WPSEO_Utils’ not found in /www/www.{{PRIVATE}}.com/wordpress/wp-content/plugins/wordpress-seo/admin/class-admin.php on line 78

    Thoughts on how to fix this please ?

  • Hi,

    I’m glad you fixed the problem quickly for all your users ad thanks for that!

    At the end of the article it says :

    “Note: If you’re using WordPress SEO Premium, you should immediately update to version 1.5.3. You can find the how-to in our knowledge base.”

    Is the version 1.5.3 the version of the main pluggin or the version of the premium pluggin? Because on all my sites, I have the version 1.3.4.1 of “Local SEO for WordPress SEO by Yoast”.

    Thanks for the help!

  • thanks for the quick response. I’ve checked all my sites and it’s all right for now

    Good job!

  • This is how Marketing realy works! Very well communication and suuuuuper quick response for the problem.
    You are great guys thanks for it….

  • I’ve updated to your plugin Version 1.7.4. However, I’m getting a security alert from Vaultpress.com security scan which says the following:

    “The plugin WordPress SEO (version 1.14.15) has a publicly known vulnerability. It is recommended deactivate and remove this plugin until a new version is released.”

    I suspect this is a false positive – perhaps something to do with the versioning system?? Have opened a ticket with Vaultpress, so will see what they say

    By the way, thanks for the fast plugin update and explanatory article.

  • I first read the security issue on another blog and it was over exaggerated! I just realized it’s more of a bug than a threat. Kudos, I use your plugin on all of my sites.

  • Thanks for fixing so quickly. Your plugins make my seo life so much easier for some of the on page nitty gritty stuff. Kepp up the great work!

  • Thats why I love to use this plugin! Thanks for the quick update.

  • Happy to get such a quick update :)

  • Thanks for the quick turn around on this one!

  • Would the forced update leave the plug-in deactivated if it was active when the update was pushed? My plug-in was deactivated sometime in the last 24 hours, and it has been auto-updated by the forced update to 1.7.4.

  • Thanks for the Quick update.

    Does this apply to your other paid plugins such as the Local SEO plugin?

  • Thanks for fixing this so fast. I have the premium version and update went smoothly. Keep up the great work with this plugin.

  • Personally I wouldn’t say this was a real security update. More of a minor bug fix. The fact it needed a targeted attack to execute kind of makes it like every day on the internet.
    If they gunna get you they will do.

  • Thanks for fixing this so quickly and communicating to users about it!

  • Thanks for fixing this quickly and getting it updated!