For anyone running a website, Search Engine Optimization, is a constant priority. For this very reason, many WordPress site owners rely on WordPress SEO by Yoast to help with basic SEO concerns. It currently boasts over a million users and for good reason: It’s incredibly simple to setup and good at what it does.
Ryan Dewhurst, the developer of WPScan, was the first to identify a new security vulnerability for the popular plugin. This new vulnerability has the potential to allow full access to any website running a less than current version of WordPress SEO by Yoast (1.7.4).
In a discussion with Graham Cluley, Dewhurst was quoted saying:
A remote unauthenticated attacker could use this vulnerability to execute arbitrary SQL queries on the victim WordPress website by enticing an authenticated admin, editor or author user to click on a specially crafted link or visit a page they control.
One possible attack scenario would be an attacker adding their own administrative user to the target WordPress site, allowing them to compromise the entire website.
The good news?
One of the things that make plugins by Yoast so great is their team that seems to always be working. Within 90 minutes of receiving Dewhurst’s responsible disclosure of the vulnerability, Yoast released an updated version of the plugin fixing the security issue.
Making sure this doesn’t happen to your site is simple. Just login to your WordPress installs and update your copy!