WordPress SEO by Yoast

WordPress SEO Security release

WordPress SEO Security release

March 11th, 2015 – 93 Comments

This morning we released an update to our WordPress SEO plugin (both free and premium) that fixes a security issue. A bit more details follow below, but the short version of this post is simple: update. Now. Although you might find your WordPress install has already updated for you.

What did we fix?

We fixed a CSRF issue that allowed blind SQL injection. The one sentence explanation for the not so technical: by having a logged-in author, editor or admin visit a malformed URL a malicious hacker could change your database. While this does not allow mass hacking of installs using this hole, it does allow direct targeting of a user on a website. This is a serious issue, which is why we immediately set to work to fix it when we were notified of the issue.

Why we didn’t catch it? Well… Long story. It should have been caught in one of our regular security reviews. The values were escaped using esc_sql, which one would expect would prevent SQL injection. It does not. You’ll need far stricter sanitization. Not an excuse but it’s a good lesson to learn for other developers.

Responsible disclosure

We were notified of this issue by Ryan Dewhurst of the WPScan team, who waited for us to release an update before publishing his find to the public, for which we thank him! This type of responsible disclosure is what keeps us all safe, but it only does so if you update.

Forced automatic update

Because of the severity of the issue, the WordPress.org team put out a forced automatic update (thanks!). If you didn’t specifically disable those and you were:

  • running on 1.7 or higher, you’ll have been auto-updated to 1.7.4.
  • If you were running on 1.6.*, you’ll have been updated to 1.6.4.
  • If you were running on 1.5.*, you’ll have been updated to 1.5.7.

If you are on an older version, we can’t auto-update you, but you should really update for tons of reasons. Of course you should really move to 1.7.4 as soon as you can anyway.

Note: If you’re using WordPress SEO Premium, you should immediately update to version 1.5.3. You can find the how-to in our knowledge base.


93 Responses to WordPress SEO Security release

  1. Wieniu
    By Wieniu on 21 March, 2015

    Thanks for this updates. I like this plugin.

  2. jason
    By jason on 20 March, 2015

    yeah, have encountered the plugin deactivating itself on MULTIPLE sites over the last week…this is definitely an issue

  3. tony
    By tony on 18 March, 2015

    looks like you didn’t like my other email address as my previous reply looks like it went through.. here is my issue:

    i recently took over a site that is using thyis plugin version 1.5.2.6 and when i upgrade to 1.7.4, the site breaks.. all of the pages give a ‘not found’ and i’m not sure why. i don’t think the previous person did any custom coding as they weren’t technical enough but they did update a lot of the settings for this plugin. is there something i can look at that makes this happen that maybe someone else encountered?

  4. tony
    By tony on 18 March, 2015

    tried using this reply form 3 times now and can’t get my issue posted.

  5. Rodrigo
    By Rodrigo on 18 March, 2015

    Thanks for the update of my favorite SEO plugin ;-)

  6. Farhan
    By Farhan on 18 March, 2015

    Some of my clients websites were having issues after the update but was a easy fix and up and running now.

  7. Lopa
    By Lopa on 18 March, 2015

    Love the plugin but I’ve had to disable WordPress SEO (1.7.4) as it doesn’t work with my WordPress 4.1.1 running the Radius theme – happy to pay for the premium version, but need assurances it will work first!

  8. James
    By James on 17 March, 2015

    Thanks for getting this sorted guys, I better crack on and get 30 or so sites updated.

  9. Claudiu
    By Claudiu on 17 March, 2015

    It’s nice to see such a great plugin actively maintained. When i first heard about this security patch it was from another sources. Yet my dashboard was saying there are no updates available.
    Later i saw it was done automatically .

    Thank you for your work

  10. John
    By John on 17 March, 2015

    Hi, I tried to update from 1.7.1 for a client but was not able to. What might be the reason for that? Thx for your help!

  11. Homepageberater
    By Homepageberater on 16 March, 2015

    Thanks!
    Update successfull, two older Versions I updated via FTP.

  12. Tamar
    By Tamar on 16 March, 2015

    Hi,

    I have WordPress SEO on version 1.5.3 and it doesn’t give me the option to update. Also when I go to Plugins and search to download a newer version the option isn’t there.

    How do i get to 1.7.4?
    Thanks

  13. Yavan Kumar
    By Yavan Kumar on 16 March, 2015

    Hi Joost de Valk,

    I am using this plugin for the seo, but thank you for this update, now my blog is secure :)

  14. Nick
    By Nick on 16 March, 2015

    My version hasn’t auto updated (currently 1.7.1) yet.
    If I just download and do a manual update, is that ok? Will I keep all my settings from the current version? Should I deactivate 1.7.1 first or just install 1.7.4? Thanks

  15. Sander
    By Sander on 16 March, 2015

    Is there already any news on what to with affected sites, we had a massive break in on three sites on the same shared hosting on the 11th at around midnight (the plugin was at that time not updated), malicious files were uploaded, unknown admins registered and tons of posts inserted directly through SQL.

    After following whatever I could find it seems I have managed to banish the unauthorized access yet the posts like this one:

    http://mosaic-stone.com/1080p-the-judge-ita/

    are still there, WordPress does say that there is 29000+ posts, yet I cannot see them. I haven’t found any literature on systems affected by this bug yet and was wondering if anyone would know what to do.

    Actually the websites don’t contain any posts posted by me so if there is an SQL trick to simply delete all of them this would probably suffice.

  16. abhishek K S
    By abhishek K S on 16 March, 2015

    thanks for the quick fix we love this plugin

  17. sarkari naukri
    By sarkari naukri on 15 March, 2015

    Hey Can I use this Plugin In My Blogger Blog ? Please Reply as soon as possible..

  18. James
    By James on 15 March, 2015

    Hi Yoast,

    Just to corroborate on what Apoorv Agrawal said on sitemap issue.
    I’m having the same problem, my sitemap page is showing 404 error page.

    Thanks

  19. Apoorv Agrawal
    By Apoorv Agrawal on 15 March, 2015

    Well hello yoast I don’t know since how long this issue was up but one thing that I’m certainly getting issue with is site map site map is not getting generated rather it’s talking it to 404 pages! Hope to get a solution!

  20. Matthews Ohooto
    By Matthews Ohooto on 15 March, 2015

    Thanks for the quick fix and communicating to us officially about this issue.

  21. Anselm
    By Anselm on 15 March, 2015

    Currently using free version and giving so impressive results..will be going for Premium version very soon for more features..

  22. Annette Riley
    By Annette Riley on 14 March, 2015

    Just made the update for the plugin. It’s working fine now and there’s no error for my blog at all.

  23. Pravash Rai
    By Pravash Rai on 14 March, 2015

    Thanks for the quick fix. SEO Yoast in the best SEO plugin :)

  24. Hamza Sheikh
    By Hamza Sheikh on 14 March, 2015

    Just few days ago, I activated the automatic plugin update feature in my WordPress, and now I can thanks to the option for securing my websites while I was enjoying my sleep.

    I received couple of messages from friends about the security breach, and vulnerability. I took sometime to manually check each and every installation of my WordPress that runs SEO Yoast plugin.

  25. Dajuan
    By Dajuan on 14 March, 2015

    My site’s plugin was also deactivated. If Yoast didn’t do this, I wonder who / what deactivated the plugin on so many of our websites.

  26. Adrienne
    By Adrienne on 14 March, 2015

    Thanks for automatically fixing the plugin…

  27. Marcos Alonso
    By Marcos Alonso on 13 March, 2015

    Hi

    I´ve 2 websites they have ver 1.4 and didn´t update automatically, so I´ve to upload the latest version manualy, right? Is there the possiblity of loosing my custom Title and Meta Tags?

  28. Omar Belkadi
    By Omar Belkadi on 13 March, 2015

    Hi,

    Thank you for the update. Most appreciated here.

    Thanks God. I updated the plugin on the right time.

    Keep it up.

    Regards,
    Omar

  29. Don Hesh
    By Don Hesh on 13 March, 2015

    So what happen to the websites already attacked? I can see spam links on the top of my page?
    I discover this issue few weeks a go and we thought its from Contact form 7. Never guess its from yoast.
    Thanks
    Don

    • Joost de Valk
      By Joost de Valk on 13 March, 2015

      It’s probably got nothing to do with this issue, to be honest. We’ve not seen hacks in the wild yet.

  30. Sadanand
    By Sadanand on 13 March, 2015

    Thanks for the update Joost de Valk. I have updated plugin just now!

  31. Damien Carbery
    By Damien Carbery on 13 March, 2015

    @ambrosite asked what the fix was but no answer.
    It looks like WPSEO_Utils::filter_input() is called, which calls filter_input(). As FILTER_DEFAULT is filter used (without any flags) and PHP docs says: “This will result in no filtering taking place by default.”, how does this fix the issue?

    • Joost de Valk
      By Joost de Valk on 13 March, 2015

      Look a bit further, we added sanitization functions that restrict the order and orderby values to a limited set.

      • Damien Carbery
        By Damien Carbery on 14 March, 2015

        Thanks. I had only looked around the lines mentioned in the WPScan disclosure. I will have to study the code to learn from it.

  32. Dan Lawrence
    By Dan Lawrence on 13 March, 2015

    Hi

    ive just looked through Yoast WP SEO plugin interface for a clients install and cant see version number reference anywhere, only ref is to verison 4 which i presume must be WP not Yoast , where do we look to check version number ?

    thanks
    dan

    • Joost de Valk
      By Joost de Valk on 13 March, 2015

      Well, a good place to find the version number for any plugin would be on the WordPress plugins page in your install :)

      • Dan Lawrence
        By Dan Lawrence on 13 March, 2015

        cool cheers, im looking at a WP Multi User instal so cant see it since not a network admin but the developer has confirmed latest version so all is good , thanks

  33. Adam Laughlin
    By Adam Laughlin on 13 March, 2015

    I have to say, “one would expect this would prevent an SQL injection” is somewhat rude.
    I write code that is used by almost nobody, and I take the time – my own time – to read the documentation of every single function I call.
    I don’t want to diminish your character or the nature of your contributions to the Internet and to WordPress as a whole, but this is a very flagrant piece of damage control. I’m compelled to call it out, I was recommending Yoast to my employer just this morning and I am quite embarssed. I really do regret it, now. Sorry, Joost but… they run a serious business and will be targeted.

    Shame.

    • Joost de Valk
      By Joost de Valk on 13 March, 2015

      Hey Adam,

      first of all, this code was contributed by an external developer. Second, this was reviewed multiple times and not found before. If you can guarantee me that if I let you do code reviews we’ll never find anything again in the code you have reviewed, I’d like to hire you!

      • Adam Laughlin
        By Adam Laughlin on 16 March, 2015

        That’s an incredibly positive response Joost, I’m going to make sure I learn from you here.

        Come to think of it, I now owe you one free code review… let’s actually see what I’m getting into, then.

        All of the positive feedback here had me wondering if responses were being deleted. So at the very least my attack can serve as a testament that you stand by your work.

        “…which one would expect would prevent SQL injection. It does not.”

        If ‘one would expect’ was your way of excusing the contributor’s mistake, I’ve appalled myself. I thought you were referring to yourself. There is no shame in making it clear this was another person’s mistake. I originally read that statement as a reference to your personal coding habits.

        I’m very embarassed. Best regards.

        • Joost de Valk
          By Joost de Valk on 16 March, 2015

          No need to be embarrassed. Bugs happen. To everyone. I could have made this mistake myself, probably. I know I made plenty mistakes like this before, luckily most of them were before we had a million+ users.

    • Don Hesh
      By Don Hesh on 13 March, 2015

      Everyone make mistakes… So many people in SEO industry achieve good results from this plugin. So don’t be a d..k.

  34. Nigel
    By Nigel on 13 March, 2015

    Great to hear that you updated the plugin as soon as an issue was found, even such a small one. Thanks again for the great plugin, love it!

  35. Brendan McCoy
    By Brendan McCoy on 13 March, 2015

    Never a good thing to happen but the fast update is much appreciated as always.

  36. Marc
    By Marc on 12 March, 2015

    Hello, I have version 1.5.6 of yoast seo plugin but I don’t see the update available on the plugins administrator.

    How can I manually update the plugin?

    Thanks.

    • Ollie
      By Ollie on 12 March, 2015

      Hi,
      I have the same question as Marc.
      I downloaded version 1.5.7 from here: https://wordpress.org/plugins/wordpress-seo/developers/ and went to manually install the plugin, but when I looked in the backend, it said it was still on 1.5.6

      I then opened up the files and readme and saw no evidence that what I downloaded was version 1.5.7 despite it being labeled: wordpress-seo.1.5.7.zip

      Where can I get the real 1.5.7?

      • blackhawk
        By blackhawk on 13 March, 2015

        Same problem here..

      • Pim
        By Pim on 13 March, 2015

        Yes, same here.

        • Joost de Valk
          By Joost de Valk on 13 March, 2015

          That’s actually a bug in what I did. But you should really upgrade to 1.7.4

          • Pim
            By Pim on 13 March, 2015

            Hi Joost,

            Thanks for your quick response.

            Does this mean the bug in 1.5.7 is fixed in wordpress-seo.1.5.7.zip as linked on https://wordpress.org/plugins/wordpress-seo/developers ?

            Thanks for your recommendation. I understand what you are saying, but circumstances make me prefer upgrading to 1.5.7.

            Keep up the good work :)

  37. Shajjad Ali
    By Shajjad Ali on 12 March, 2015

    Oh, No ! I was very worried about the malware attack ! But, finally i fixed after learning from one of my Facebook friends status !

    Thanks for update !

  38. Irwin
    By Irwin on 12 March, 2015

    My earlier post of one minute ago had been stripped of my quote from Silver Fox

    Version 1.7.4 is definitely safe, as it is the latest version…

  39. Irwin
    By Irwin on 12 March, 2015

    I have Version 4.1.1 yet the security release refers to

    (Thanks Silver Fox)
    I cannot make these ‘facts’ jibe.
    What should I know to understand? Is the security issue relevant to me?

  40. Chris
    By Chris on 12 March, 2015

    Just got an iThemes ‘file change warning’ that over a hundred files just got changed on my site, I panicked searched and found this release writeup. I just love it when WordPress can take charge and auto update! Thanks for the uber-quick response Yoost! Cheers

  41. Niall Flynn
    By Niall Flynn on 12 March, 2015

    This article needs a response from the man himself;
    http://www.searchenginejournal.com/popular-wordpress-plugin-seo-by-yoast-vulnerable-to-hackers/128040/
    I think this was patched as soon as it was found, and to be fair SQL injections can happen to anything anywhere.

  42. Charles Simmons
    By Charles Simmons on 12 March, 2015

    I noticed that the forced automatic update has deactivated the plugin on every install that I’ve seen so far, about 10 at this point. Obviously, the security fix was a must and if this is the price of being secure, then so be it. But, fair warning to all, if you have clients that had this plugin installed on a site that you handed over, you may be getting a call at some point in the future if their indexing starts to look off and they don’t know about this.

  43. Kristof
    By Kristof on 12 March, 2015

    Appreciate the fast turnaround in fixing the security hole.

    My premium plugin license expired two weeks ago so I can’t update. I obviously don’t want a security issue with plugin but can’t purchase a license update right now. Is there a way I can patch this myself?

  44. Adeel Sami
    By Adeel Sami on 12 March, 2015

    Hello Joost!

    Thank you for the plugin update! I already had updated it the other day.

    ~ Adeel Sami

  45. Alastair Dodwell
    By Alastair Dodwell on 12 March, 2015

    Thanks for the heads up. All our sites were auto updated and see fine.
    Keep up the good work.
    Alastair

  46. Kathy Goldman
    By Kathy Goldman on 12 March, 2015

    Thanks for the update on the update. My sites all check out fine! Wish I could see you for the conference!

  47. ambrosite
    By ambrosite on 12 March, 2015

    Joost, can we get more technical details on what exactly you had to do to fix this security issue? It is rather worrying to hear that you needed “far stricter sanitization” than esc_sql, since that function ultimately just calls mysql_real_escape_string (as does wpdb::prepare), which has been the standard security advice for years. In fact the data validation page in the WordPress Codex still recommends the use of those functions:
    http://codex.wordpress.org/Data_Validation

    • Joost de Valk
      By Joost de Valk on 13 March, 2015

      Read the code, you can see what we did. We restricted both parameters to a defined set of values instead of allowing any string value.

  48. Nathan
    By Nathan on 12 March, 2015

    Hey, this fix broke my website. The following PHP code I have in the head of my WordPress breaks the site:

    $object = new WPSEO_Frontend();
    if( $object ){
    echo $object->metadesc( false );
    } else{
    echo “Sample Text”;
    }

    I have since removed it. Would anyone happen to know what the new code should be? Basically it should pull in the meta description (From the plugin) IF the user has entered it in the WordPress CMS, otherwise echo “Sample Text”.

    Thank you!

    • Joost de Valk
      By Joost de Valk on 13 March, 2015

      You can’t access the Frontend class like that, nor should you…

  49. Phil
    By Phil on 12 March, 2015

    Great update as its now broken the site! :(

    PHP Fatal error: Class ‘WPSEO_Utils’ not found in /www/www.{{PRIVATE}}.com/wordpress/wp-content/plugins/wordpress-seo/admin/class-admin.php on line 78

    Thoughts on how to fix this please ?

    • Joost de Valk
      By Joost de Valk on 13 March, 2015

      I don’t know how you’ve updated? That’s not an error people get when updating through WordPress.org.

      • Dr. Mike Wendell
        By Dr. Mike Wendell on 17 March, 2015

        Getting that error as well on our installs. Same line number and normally we do our upgrades from wordpress.org after manually reviewing what’s coming down on a test install.

        The full error:

        PHP message: PHP Fatal error: Class ‘WPSEO_Utils’ not found in /usr/share/nginx/www/wordpress/wp-content/plugins/wordpress-seo/admin/class-admin.php on line 78″ while reading response header from upstream, client: 1.2.3.4, server: ourwebsite.tld, request: “GET /wp-admin/ HTTP/1.1”, upstream: “fastcgi://unix:/var/run/php5-fpm.sock:”, host: “ourwebsite.tld”

        There’s at least 1 thread on the wp.org forums asking for help about it.

        • Joost de Valk
          By Joost de Valk on 17 March, 2015

          “normally we do our upgrades from wordpress.org after manually reviewing what’s coming down on a test install”: are you removing the old plugin dir and replacing it with a full extract of the new one? Sounds like you’re missing our vendor directory (which contains the auto-load files).

      • Phil
        By Phil on 13 March, 2015

        Hmmm, it was working prior to the mandantory push by WordPress. Interestingly I moved the wordpress-seo folder out of the way, downloaded the version from your site, and uploaded. As soon as I activate the plugin it fails. When can one download the previous version from ? Would like to get it running again so that can export SEO settings, completely delete the plugin and data, and then import. Thank you.

  50. Guillaume
    By Guillaume on 12 March, 2015

    Hi,

    I’m glad you fixed the problem quickly for all your users ad thanks for that!

    At the end of the article it says :

    “Note: If you’re using WordPress SEO Premium, you should immediately update to version 1.5.3. You can find the how-to in our knowledge base.”

    Is the version 1.5.3 the version of the main pluggin or the version of the premium pluggin? Because on all my sites, I have the version 1.3.4.1 of “Local SEO for WordPress SEO by Yoast”.

    Thanks for the help!

    • Joost de Valk
      By Joost de Valk on 13 March, 2015

      Hey Guillaume, Local SEO is not affected, this is the “core” WordPress SEO plugin we’re talking about.

  51. JValenzuela
    By JValenzuela on 12 March, 2015

    thanks for the quick response. I’ve checked all my sites and it’s all right for now

    Good job!

  52. Michael Freudenberg
    By Michael Freudenberg on 12 March, 2015

    This is how Marketing realy works! Very well communication and suuuuuper quick response for the problem.
    You are great guys thanks for it….

  53. Silver Fox
    By Silver Fox on 12 March, 2015

    I’ve updated to your plugin Version 1.7.4. However, I’m getting a security alert from Vaultpress.com security scan which says the following:

    “The plugin WordPress SEO (version 1.14.15) has a publicly known vulnerability. It is recommended deactivate and remove this plugin until a new version is released.”

    I suspect this is a false positive – perhaps something to do with the versioning system?? Have opened a ticket with Vaultpress, so will see what they say

    By the way, thanks for the fast plugin update and explanatory article.

    • Joost de Valk
      By Joost de Valk on 12 March, 2015

      VaultPress is reading the version number wrong, trying to figure out who to talk to on their end.

      • Silver Fox
        By Silver Fox on 12 March, 2015

        I just got this email from Vaultpress re the issue:

        “Version 1.7.4 is definitely safe, as it is the latest version released on the WordPress.org repository: https://wordpress.org/plugins/wordpress-seo/changelog/

        WordPress SEO by Yoast changed their versioning number a while back which led to this conflict. Everything should be good though.”

  54. Yeshua
    By Yeshua on 12 March, 2015

    I first read the security issue on another blog and it was over exaggerated! I just realized it’s more of a bug than a threat. Kudos, I use your plugin on all of my sites.

  55. Wundle
    By Wundle on 12 March, 2015

    Thanks for fixing so quickly. Your plugins make my seo life so much easier for some of the on page nitty gritty stuff. Kepp up the great work!

  56. Julius
    By Julius on 12 March, 2015

    Thats why I love to use this plugin! Thanks for the quick update.

  57. Tanshir
    By Tanshir on 12 March, 2015

    Happy to get such a quick update :)

  58. Daniel McClure
    By Daniel McClure on 12 March, 2015

    Thanks for the quick turn around on this one!

  59. ScrapNancy
    By ScrapNancy on 12 March, 2015

    Would the forced update leave the plug-in deactivated if it was active when the update was pushed? My plug-in was deactivated sometime in the last 24 hours, and it has been auto-updated by the forced update to 1.7.4.

    • Nazareno
      By Nazareno on 13 March, 2015

      Which hosting where you using? Some shared or wordpress exclusive servers may automatically disallow a plugin when they’re reported of a security issue

    • Karen
      By Karen on 12 March, 2015

      I noticed that in two of my three installs, the plug-in was deactivated. And they were not auto updated.

      • Joost de Valk
        By Joost de Valk on 12 March, 2015

        Hmm that’s not good… And weird. The plugin itself obviously doesn’t do that…

    • Joost de Valk
      By Joost de Valk on 12 March, 2015

      No… It should just leave it active.

  60. Mike
    By Mike on 12 March, 2015

    Thanks for the Quick update.

    Does this apply to your other paid plugins such as the Local SEO plugin?

    • Joost de Valk
      By Joost de Valk on 12 March, 2015

      Hey Mike,

      no, no other plugins are affected.

      • Nick
        By Nick on 12 March, 2015

        Hi Guys – Thanks for this –
        By the way are there any known conflicts with Optimize Press 2.0? My Yoast SEO is not updating.
        Nick

  61. Derek
    By Derek on 12 March, 2015

    Thanks for fixing this so fast. I have the premium version and update went smoothly. Keep up the great work with this plugin.

  62. Earl Grey
    By Earl Grey on 12 March, 2015

    Personally I wouldn’t say this was a real security update. More of a minor bug fix. The fact it needed a targeted attack to execute kind of makes it like every day on the internet.
    If they gunna get you they will do.

  63. Natan
    By Natan on 11 March, 2015

    Thanks for fixing this so quickly and communicating to users about it!

  64. Conrad O'Connell
    By Conrad O'Connell on 11 March, 2015

    Thanks for fixing this quickly and getting it updated!


Check out our must read articles about Analytics