WordPress Plugin SEO by Yoast Vulnerable To Hackers
Hacker News reports that a vulnerability affecting millions of users has been found in industry leading WordPress plugin SEO by Yoast.
According to an advisory, all versions of SEO by Yoast prior to 126.96.36.199 are vulnerable to Blind SQL Injection web application flaw. This is considered a critical vulnerability due to the fact that it could seriously compromise your WordPress site.
Trying to simplify that, what he means is an attacker could exploit this vulnerability by tricking WordPress admins into clicking on a link which would trigger the SQLi attack.
Once the attack has been carried out, the attacker could then add their own admin account to the vulnerable WordPress site and do whatever they want with it.
A key takeaway here is the fact that everyone who has SEO by Yoast installed is not going to be automatically affected by this. The attack can only be manually triggered by a WordPress admin, editor, or author who clicks on a dangerous link created by the attacker.
In addition, this is something that can easily fixed by updating your plugin to the latest version. The Yoast team promptly patched the exploit upon being notified, and the newest version (1.7.4) is said to fix the problem. The Premium version of the plugin has also been updated.
In the future, you can have plugin updates taken care of automatically by going to the Manage > Plugins & Themes > Auto Updates tab. If you don’t have the auto-update feature turned on, it’s strongly recommended that you update the SEO by Yoast plugin on all sites where you have it installed.
Article can be read in full via Search Engine Journal