Skip to content
Download FREE

Security patch: Yoast SEO Premium 27.6.1

May 26, 2026 Software updates Beth Parker

Yoast SEO Premium 27.6.1 is out now. This release contains a security fix affecting the Redirect Manager in Yoast SEO Premium. The good news: the vast majority of users are not impacted. If you’re a customer of Yoast SEO Premium, Yoast WooCommerce SEO, or Yoast SEO AI+, please read on. 

Are you affected? 

The vast majority of customers are not impacted. Your site is only potentially at risk if all three of the following are true: 

  • You are using a plan that includes the Yoast SEO Premium plugin. This includes Yoast SEO Premium, Yoast WooCommerce SEO, and Yoast SEO AI+ 
  • Your server runs Apache and you have manually changed your redirect method to write to .htaccess. If you’re using the default PHP-based redirects, you are not affected 
  • A user who has access to your site with edit_posts capability. Without this, the vulnerability cannot be exploited even if the other conditions are met 

What was the issue? 

An authenticated user could inject unexpected configuration into a site’s .htaccess file by including special characters in a redirect. Depending on what was injected, this could range from a site crash to, in the most serious cases, remote code execution.  

We have reviewed a sample of sites using the affected configuration and found no evidence of exploitation. There are no known cases of abuse. 

What’s fixed 

The patch includes three layers of protection: 

  • Input sanitization: control characters are now stripped from redirect fields before they’re saved 
  • Removed unused code: the specific endpoint involved in the vulnerability has been removed, as it was no longer used by the plugin anyway 
  • In-plugin warning: we’ve added a proactive notification that will alert you if anything unusual is detected in your redirects or .htaccess file, so you can review and act quickly without the need to go looking for it 

What you should do 

Please update to 27.6.1 from the WordPress plugins screen, your Admin can do this in under two minutes. 

If you meet all three conditions above, we recommend updating as soon as possible. Should you not, the security fix doesn’t apply to your setup, but keeping your plugins current is always good practice, and 27.6.1 is the version we recommend for everyone. 

If you’re unsure whether you’re affected, check your redirect settings directly at [www.yoursite.com]/wp-admin/admin.php?page=wpseo_redirects#/redirect-method,  if you don’t see .htaccess mode enabled, you’re not at risk. 

Security method in app UI

A full security advisory will be published soon. If you have any questions or concerns in the meantime, our support team is here to help you. 

Thank you for your continued trust in Yoast. 

Avatar of Beth Parker
Beth Parker

Beth is Product Marketing Manager at Yoast. Before joining the company, she honed her digital marketing and project management skills in various in-house and agency environments.