WordPress SEO Security release
This morning we released an update to our WordPress SEO plugin (both free and premium) that fixes a security issue. A bit more details follow below, but the short version of this post is simple: update. Now. Although you might find your WordPress install has already updated for you.
What did we fix?
We fixed a CSRF issue that allowed blind SQL injection. The one sentence explanation for the not so technical: by having a logged-in author, editor or admin visit a malformed URL a malicious hacker could change your database. While this does not allow mass hacking of installs using this hole, it does allow direct targeting of a user on a website. This is a serious issue, which is why we immediately set to work to fix it when we were notified of the issue.
Why we didn’t catch it? Well… Long story. It should have been caught in one of our regular security reviews. The values were escaped using esc_sql
, which one would expect would prevent SQL injection. It does not. You’ll need far stricter sanitization. Not an excuse but it’s a good lesson to learn for other developers.
Responsible disclosure
We were notified of this issue by Ryan Dewhurst of the WPScan team, who waited for us to release an update before publishing his find to the public, for which we thank him! This type of responsible disclosure is what keeps us all safe, but it only does so if you update.
Forced automatic update
Because of the severity of the issue, the WordPress.org team put out a forced automatic update (thanks!). If you didn’t specifically disable those and you were:
- running on 1.7 or higher, you’ll have been auto-updated to 1.7.4.
- If you were running on 1.6.*, you’ll have been updated to 1.6.4.
- If you were running on 1.5.*, you’ll have been updated to 1.5.7.
If you are on an older version, we can’t auto-update you, but you should really update for tons of reasons. Of course you should really move to 1.7.4 as soon as you can anyway.
Note: If you’re using WordPress SEO Premium, you should immediately update to version 1.5.3. You can find the how-to in our knowledge base.
Coming up next!
-
Event
Wordcamp Asia 2025
February 20 - 22, 2025 Team Yoast is at Attending, Sponsoring, Yoast Booth Wordcamp Asia 2025! Click through to see who will be there, what we will do, and more! See where you can find us next » -
SEO webinar
Webinar: How to start with SEO (January 16, 2025)
16 January 2025 Learn how to start your SEO journey the right way with our free webinar. Get practical tips and answers to all your questions in the live Q&A! All Yoast SEO webinars »
Thanks for this updates. I like this plugin.
yeah, have encountered the plugin deactivating itself on MULTIPLE sites over the last week…this is definitely an issue
looks like you didn’t like my other email address as my previous reply looks like it went through.. here is my issue:
i recently took over a site that is using thyis plugin version 1.5.2.6 and when i upgrade to 1.7.4, the site breaks.. all of the pages give a ‘not found’ and i’m not sure why. i don’t think the previous person did any custom coding as they weren’t technical enough but they did update a lot of the settings for this plugin. is there something i can look at that makes this happen that maybe someone else encountered?
tried using this reply form 3 times now and can’t get my issue posted.
Thanks for the update of my favorite SEO plugin ;-)
Some of my clients websites were having issues after the update but was a easy fix and up and running now.
Love the plugin but I’ve had to disable WordPress SEO (1.7.4) as it doesn’t work with my WordPress 4.1.1 running the Radius theme – happy to pay for the premium version, but need assurances it will work first!
Thanks for getting this sorted guys, I better crack on and get 30 or so sites updated.
It’s nice to see such a great plugin actively maintained. When i first heard about this security patch it was from another sources. Yet my dashboard was saying there are no updates available.
Later i saw it was done automatically .
Thank you for your work
Hi, I tried to update from 1.7.1 for a client but was not able to. What might be the reason for that? Thx for your help!
Thanks!
Update successfull, two older Versions I updated via FTP.
Hi,
I have WordPress SEO on version 1.5.3 and it doesn’t give me the option to update. Also when I go to Plugins and search to download a newer version the option isn’t there.
How do i get to 1.7.4?
Thanks
Hi Joost de Valk,
I am using this plugin for the seo, but thank you for this update, now my blog is secure :)
My version hasn’t auto updated (currently 1.7.1) yet.
If I just download and do a manual update, is that ok? Will I keep all my settings from the current version? Should I deactivate 1.7.1 first or just install 1.7.4? Thanks
Is there already any news on what to with affected sites, we had a massive break in on three sites on the same shared hosting on the 11th at around midnight (the plugin was at that time not updated), malicious files were uploaded, unknown admins registered and tons of posts inserted directly through SQL.
After following whatever I could find it seems I have managed to banish the unauthorized access yet the posts like this one:
http://mosaic-stone.com/1080p-the-judge-ita/
are still there, WordPress does say that there is 29000+ posts, yet I cannot see them. I haven’t found any literature on systems affected by this bug yet and was wondering if anyone would know what to do.
Actually the websites don’t contain any posts posted by me so if there is an SQL trick to simply delete all of them this would probably suffice.
thanks for the quick fix we love this plugin
Hey Can I use this Plugin In My Blogger Blog ? Please Reply as soon as possible..
Hi Yoast,
Just to corroborate on what Apoorv Agrawal said on sitemap issue.
I’m having the same problem, my sitemap page is showing 404 error page.
Thanks
Well hello yoast I don’t know since how long this issue was up but one thing that I’m certainly getting issue with is site map site map is not getting generated rather it’s talking it to 404 pages! Hope to get a solution!
Thanks for the quick fix and communicating to us officially about this issue.
Currently using free version and giving so impressive results..will be going for Premium version very soon for more features..
Just made the update for the plugin. It’s working fine now and there’s no error for my blog at all.
Thanks for the quick fix. SEO Yoast in the best SEO plugin :)
Just few days ago, I activated the automatic plugin update feature in my WordPress, and now I can thanks to the option for securing my websites while I was enjoying my sleep.
I received couple of messages from friends about the security breach, and vulnerability. I took sometime to manually check each and every installation of my WordPress that runs SEO Yoast plugin.
My site’s plugin was also deactivated. If Yoast didn’t do this, I wonder who / what deactivated the plugin on so many of our websites.
Thanks for automatically fixing the plugin…
Hi
I´ve 2 websites they have ver 1.4 and didn´t update automatically, so I´ve to upload the latest version manualy, right? Is there the possiblity of loosing my custom Title and Meta Tags?
Hi,
Thank you for the update. Most appreciated here.
Thanks God. I updated the plugin on the right time.
Keep it up.
Regards,
Omar
So what happen to the websites already attacked? I can see spam links on the top of my page?
I discover this issue few weeks a go and we thought its from Contact form 7. Never guess its from yoast.
Thanks
Don
It’s probably got nothing to do with this issue, to be honest. We’ve not seen hacks in the wild yet.
Thanks for the update Joost de Valk. I have updated plugin just now!
@ambrosite asked what the fix was but no answer.
It looks like WPSEO_Utils::filter_input() is called, which calls filter_input(). As FILTER_DEFAULT is filter used (without any flags) and PHP docs says: “This will result in no filtering taking place by default.”, how does this fix the issue?
Look a bit further, we added sanitization functions that restrict the order and orderby values to a limited set.
Thanks. I had only looked around the lines mentioned in the WPScan disclosure. I will have to study the code to learn from it.
Hi
ive just looked through Yoast WP SEO plugin interface for a clients install and cant see version number reference anywhere, only ref is to verison 4 which i presume must be WP not Yoast , where do we look to check version number ?
thanks
dan
Well, a good place to find the version number for any plugin would be on the WordPress plugins page in your install :)
cool cheers, im looking at a WP Multi User instal so cant see it since not a network admin but the developer has confirmed latest version so all is good , thanks
I have to say, “one would expect this would prevent an SQL injection” is somewhat rude.
I write code that is used by almost nobody, and I take the time – my own time – to read the documentation of every single function I call.
I don’t want to diminish your character or the nature of your contributions to the Internet and to WordPress as a whole, but this is a very flagrant piece of damage control. I’m compelled to call it out, I was recommending Yoast to my employer just this morning and I am quite embarssed. I really do regret it, now. Sorry, Joost but… they run a serious business and will be targeted.
Shame.
Hey Adam,
first of all, this code was contributed by an external developer. Second, this was reviewed multiple times and not found before. If you can guarantee me that if I let you do code reviews we’ll never find anything again in the code you have reviewed, I’d like to hire you!
That’s an incredibly positive response Joost, I’m going to make sure I learn from you here.
Come to think of it, I now owe you one free code review… let’s actually see what I’m getting into, then.
All of the positive feedback here had me wondering if responses were being deleted. So at the very least my attack can serve as a testament that you stand by your work.
“…which one would expect would prevent SQL injection. It does not.”
If ‘one would expect’ was your way of excusing the contributor’s mistake, I’ve appalled myself. I thought you were referring to yourself. There is no shame in making it clear this was another person’s mistake. I originally read that statement as a reference to your personal coding habits.
I’m very embarassed. Best regards.
No need to be embarrassed. Bugs happen. To everyone. I could have made this mistake myself, probably. I know I made plenty mistakes like this before, luckily most of them were before we had a million+ users.
Everyone make mistakes… So many people in SEO industry achieve good results from this plugin. So don’t be a d..k.
Great to hear that you updated the plugin as soon as an issue was found, even such a small one. Thanks again for the great plugin, love it!
Never a good thing to happen but the fast update is much appreciated as always.
Hello, I have version 1.5.6 of yoast seo plugin but I don’t see the update available on the plugins administrator.
How can I manually update the plugin?
Thanks.
Hi,
I have the same question as Marc.
I downloaded version 1.5.7 from here: https://wordpress.org/plugins/wordpress-seo/developers/ and went to manually install the plugin, but when I looked in the backend, it said it was still on 1.5.6
I then opened up the files and readme and saw no evidence that what I downloaded was version 1.5.7 despite it being labeled: wordpress-seo.1.5.7.zip
Where can I get the real 1.5.7?
Same problem here..
Yes, same here.
That’s actually a bug in what I did. But you should really upgrade to 1.7.4
Hi Joost,
Thanks for your quick response.
Does this mean the bug in 1.5.7 is fixed in wordpress-seo.1.5.7.zip as linked on https://wordpress.org/plugins/wordpress-seo/developers ?
Thanks for your recommendation. I understand what you are saying, but circumstances make me prefer upgrading to 1.5.7.
Keep up the good work :)
Oh, No ! I was very worried about the malware attack ! But, finally i fixed after learning from one of my Facebook friends status !
Thanks for update !
My earlier post of one minute ago had been stripped of my quote from Silver Fox
Version 1.7.4 is definitely safe, as it is the latest version…
I have Version 4.1.1 yet the security release refers to
(Thanks Silver Fox)
I cannot make these ‘facts’ jibe.
What should I know to understand? Is the security issue relevant to me?
Just got an iThemes ‘file change warning’ that over a hundred files just got changed on my site, I panicked searched and found this release writeup. I just love it when WordPress can take charge and auto update! Thanks for the uber-quick response Yoost! Cheers
This article needs a response from the man himself;
http://www.searchenginejournal.com/popular-wordpress-plugin-seo-by-yoast-vulnerable-to-hackers/128040/
I think this was patched as soon as it was found, and to be fair SQL injections can happen to anything anywhere.
I noticed that the forced automatic update has deactivated the plugin on every install that I’ve seen so far, about 10 at this point. Obviously, the security fix was a must and if this is the price of being secure, then so be it. But, fair warning to all, if you have clients that had this plugin installed on a site that you handed over, you may be getting a call at some point in the future if their indexing starts to look off and they don’t know about this.
Appreciate the fast turnaround in fixing the security hole.
My premium plugin license expired two weeks ago so I can’t update. I obviously don’t want a security issue with plugin but can’t purchase a license update right now. Is there a way I can patch this myself?
Hello Joost!
Thank you for the plugin update! I already had updated it the other day.
~ Adeel Sami
Thanks for the heads up. All our sites were auto updated and see fine.
Keep up the good work.
Alastair
Thanks for the update on the update. My sites all check out fine! Wish I could see you for the conference!
Joost, can we get more technical details on what exactly you had to do to fix this security issue? It is rather worrying to hear that you needed “far stricter sanitization” than esc_sql, since that function ultimately just calls mysql_real_escape_string (as does wpdb::prepare), which has been the standard security advice for years. In fact the data validation page in the WordPress Codex still recommends the use of those functions:
http://codex.wordpress.org/Data_Validation
Read the code, you can see what we did. We restricted both parameters to a defined set of values instead of allowing any string value.
Hey, this fix broke my website. The following PHP code I have in the head of my WordPress breaks the site:
$object = new WPSEO_Frontend();
if( $object ){
echo $object->metadesc( false );
} else{
echo “Sample Text”;
}
I have since removed it. Would anyone happen to know what the new code should be? Basically it should pull in the meta description (From the plugin) IF the user has entered it in the WordPress CMS, otherwise echo “Sample Text”.
Thank you!
You can’t access the Frontend class like that, nor should you…
Great update as its now broken the site! :(
PHP Fatal error: Class ‘WPSEO_Utils’ not found in /www/www.{{PRIVATE}}.com/wordpress/wp-content/plugins/wordpress-seo/admin/class-admin.php on line 78
Thoughts on how to fix this please ?
I don’t know how you’ve updated? That’s not an error people get when updating through WordPress.org.
Getting that error as well on our installs. Same line number and normally we do our upgrades from wordpress.org after manually reviewing what’s coming down on a test install.
The full error:
PHP message: PHP Fatal error: Class ‘WPSEO_Utils’ not found in /usr/share/nginx/www/wordpress/wp-content/plugins/wordpress-seo/admin/class-admin.php on line 78″ while reading response header from upstream, client: 1.2.3.4, server: ourwebsite.tld, request: “GET /wp-admin/ HTTP/1.1”, upstream: “fastcgi://unix:/var/run/php5-fpm.sock:”, host: “ourwebsite.tld”
There’s at least 1 thread on the wp.org forums asking for help about it.
“normally we do our upgrades from wordpress.org after manually reviewing what’s coming down on a test install”: are you removing the old plugin dir and replacing it with a full extract of the new one? Sounds like you’re missing our vendor directory (which contains the auto-load files).
Hmmm, it was working prior to the mandantory push by WordPress. Interestingly I moved the wordpress-seo folder out of the way, downloaded the version from your site, and uploaded. As soon as I activate the plugin it fails. When can one download the previous version from ? Would like to get it running again so that can export SEO settings, completely delete the plugin and data, and then import. Thank you.
Hi,
I’m glad you fixed the problem quickly for all your users ad thanks for that!
At the end of the article it says :
“Note: If you’re using WordPress SEO Premium, you should immediately update to version 1.5.3. You can find the how-to in our knowledge base.”
Is the version 1.5.3 the version of the main pluggin or the version of the premium pluggin? Because on all my sites, I have the version 1.3.4.1 of “Local SEO for WordPress SEO by Yoast”.
Thanks for the help!
Hey Guillaume, Local SEO is not affected, this is the “core” WordPress SEO plugin we’re talking about.
thanks for the quick response. I’ve checked all my sites and it’s all right for now
Good job!
This is how Marketing realy works! Very well communication and suuuuuper quick response for the problem.
You are great guys thanks for it….
I’ve updated to your plugin Version 1.7.4. However, I’m getting a security alert from Vaultpress.com security scan which says the following:
“The plugin WordPress SEO (version 1.14.15) has a publicly known vulnerability. It is recommended deactivate and remove this plugin until a new version is released.”
I suspect this is a false positive – perhaps something to do with the versioning system?? Have opened a ticket with Vaultpress, so will see what they say
By the way, thanks for the fast plugin update and explanatory article.
VaultPress is reading the version number wrong, trying to figure out who to talk to on their end.
I just got this email from Vaultpress re the issue:
“Version 1.7.4 is definitely safe, as it is the latest version released on the WordPress.org repository: https://wordpress.org/plugins/wordpress-seo/changelog/
WordPress SEO by Yoast changed their versioning number a while back which led to this conflict. Everything should be good though.”
I first read the security issue on another blog and it was over exaggerated! I just realized it’s more of a bug than a threat. Kudos, I use your plugin on all of my sites.
Thanks for fixing so quickly. Your plugins make my seo life so much easier for some of the on page nitty gritty stuff. Kepp up the great work!
Thats why I love to use this plugin! Thanks for the quick update.
Happy to get such a quick update :)
Thanks for the quick turn around on this one!
Would the forced update leave the plug-in deactivated if it was active when the update was pushed? My plug-in was deactivated sometime in the last 24 hours, and it has been auto-updated by the forced update to 1.7.4.
Which hosting where you using? Some shared or wordpress exclusive servers may automatically disallow a plugin when they’re reported of a security issue
I noticed that in two of my three installs, the plug-in was deactivated. And they were not auto updated.
Hmm that’s not good… And weird. The plugin itself obviously doesn’t do that…
No… It should just leave it active.
Thanks for the Quick update.
Does this apply to your other paid plugins such as the Local SEO plugin?
Hey Mike,
no, no other plugins are affected.
Hi Guys – Thanks for this –
By the way are there any known conflicts with Optimize Press 2.0? My Yoast SEO is not updating.
Nick
Thanks for fixing this so fast. I have the premium version and update went smoothly. Keep up the great work with this plugin.
Personally I wouldn’t say this was a real security update. More of a minor bug fix. The fact it needed a targeted attack to execute kind of makes it like every day on the internet.
If they gunna get you they will do.
Thanks for fixing this so quickly and communicating to users about it!
Thanks for fixing this quickly and getting it updated!