WordPress SEO Security release

This morning we released an update to our WordPress SEO plugin (both free and premium) that fixes a security issue. A bit more details follow below, but the short version of this post is simple: update. Now. Although you might find your WordPress install has already updated for you.

What did we fix?

We fixed a CSRF issue that allowed blind SQL injection. The one sentence explanation for the not so technical: by having a logged-in author, editor or admin visit a malformed URL a malicious hacker could change your database. While this does not allow mass hacking of installs using this hole, it does allow direct targeting of a user on a website. This is a serious issue, which is why we immediately set to work to fix it when we were notified of the issue.

Why we didn’t catch it? Well… Long story. It should have been caught in one of our regular security reviews. The values were escaped using esc_sql, which one would expect would prevent SQL injection. It does not. You’ll need far stricter sanitization. Not an excuse but it’s a good lesson to learn for other developers.

Responsible disclosure

We were notified of this issue by Ryan Dewhurst of the WPScan team, who waited for us to release an update before publishing his find to the public, for which we thank him! This type of responsible disclosure is what keeps us all safe, but it only does so if you update.

Forced automatic update

Because of the severity of the issue, the WordPress.org team put out a forced automatic update (thanks!). If you didn’t specifically disable those and you were:

  • running on 1.7 or higher, you’ll have been auto-updated to 1.7.4.
  • If you were running on 1.6.*, you’ll have been updated to 1.6.4.
  • If you were running on 1.5.*, you’ll have been updated to 1.5.7.

If you are on an older version, we can’t auto-update you, but you should really update for tons of reasons. Of course you should really move to 1.7.4 as soon as you can anyway.

Note: If you’re using WordPress SEO Premium, you should immediately update to version 1.5.3. You can find the how-to in our knowledge base.

Coming up next!


93 Responses to WordPress SEO Security release

  1. Wieniu
    Wieniu  • 9 years ago

    Thanks for this updates. I like this plugin.

  2. jason
    jason  • 9 years ago

    yeah, have encountered the plugin deactivating itself on MULTIPLE sites over the last week…this is definitely an issue

  3. tony
    tony  • 9 years ago

    looks like you didn’t like my other email address as my previous reply looks like it went through.. here is my issue:

    i recently took over a site that is using thyis plugin version 1.5.2.6 and when i upgrade to 1.7.4, the site breaks.. all of the pages give a ‘not found’ and i’m not sure why. i don’t think the previous person did any custom coding as they weren’t technical enough but they did update a lot of the settings for this plugin. is there something i can look at that makes this happen that maybe someone else encountered?

  4. tony
    tony  • 9 years ago

    tried using this reply form 3 times now and can’t get my issue posted.

  5. Rodrigo
    Rodrigo  • 9 years ago

    Thanks for the update of my favorite SEO plugin ;-)

  6. Farhan
    Farhan  • 9 years ago

    Some of my clients websites were having issues after the update but was a easy fix and up and running now.

  7. Lopa
    Lopa  • 9 years ago

    Love the plugin but I’ve had to disable WordPress SEO (1.7.4) as it doesn’t work with my WordPress 4.1.1 running the Radius theme – happy to pay for the premium version, but need assurances it will work first!

  8. James
    James  • 9 years ago

    Thanks for getting this sorted guys, I better crack on and get 30 or so sites updated.

  9. Claudiu
    Claudiu  • 9 years ago

    It’s nice to see such a great plugin actively maintained. When i first heard about this security patch it was from another sources. Yet my dashboard was saying there are no updates available.
    Later i saw it was done automatically .

    Thank you for your work

  10. John
    John  • 9 years ago

    Hi, I tried to update from 1.7.1 for a client but was not able to. What might be the reason for that? Thx for your help!

  11. Homepageberater
    Homepageberater  • 9 years ago

    Thanks!
    Update successfull, two older Versions I updated via FTP.

  12. Tamar
    Tamar  • 9 years ago

    Hi,

    I have WordPress SEO on version 1.5.3 and it doesn’t give me the option to update. Also when I go to Plugins and search to download a newer version the option isn’t there.

    How do i get to 1.7.4?
    Thanks

  13. Yavan Kumar
    Yavan Kumar  • 9 years ago

    Hi Joost de Valk,

    I am using this plugin for the seo, but thank you for this update, now my blog is secure :)

  14. Nick
    Nick  • 9 years ago

    My version hasn’t auto updated (currently 1.7.1) yet.
    If I just download and do a manual update, is that ok? Will I keep all my settings from the current version? Should I deactivate 1.7.1 first or just install 1.7.4? Thanks

  15. Sander
    Sander  • 9 years ago

    Is there already any news on what to with affected sites, we had a massive break in on three sites on the same shared hosting on the 11th at around midnight (the plugin was at that time not updated), malicious files were uploaded, unknown admins registered and tons of posts inserted directly through SQL.

    After following whatever I could find it seems I have managed to banish the unauthorized access yet the posts like this one:

    http://mosaic-stone.com/1080p-the-judge-ita/

    are still there, WordPress does say that there is 29000+ posts, yet I cannot see them. I haven’t found any literature on systems affected by this bug yet and was wondering if anyone would know what to do.

    Actually the websites don’t contain any posts posted by me so if there is an SQL trick to simply delete all of them this would probably suffice.

  16. abhishek K S
    abhishek K S  • 9 years ago

    thanks for the quick fix we love this plugin

  17. sarkari naukri
    sarkari naukri  • 9 years ago

    Hey Can I use this Plugin In My Blogger Blog ? Please Reply as soon as possible..

  18. James
    James  • 9 years ago

    Hi Yoast,

    Just to corroborate on what Apoorv Agrawal said on sitemap issue.
    I’m having the same problem, my sitemap page is showing 404 error page.

    Thanks

  19. Apoorv Agrawal
    Apoorv Agrawal  • 9 years ago

    Well hello yoast I don’t know since how long this issue was up but one thing that I’m certainly getting issue with is site map site map is not getting generated rather it’s talking it to 404 pages! Hope to get a solution!

  20. Matthews Ohooto
    Matthews Ohooto  • 9 years ago

    Thanks for the quick fix and communicating to us officially about this issue.

  21. Anselm
    Anselm  • 9 years ago

    Currently using free version and giving so impressive results..will be going for Premium version very soon for more features..

  22. Annette Riley
    Annette Riley  • 9 years ago

    Just made the update for the plugin. It’s working fine now and there’s no error for my blog at all.

  23. Pravash Rai
    Pravash Rai  • 9 years ago

    Thanks for the quick fix. SEO Yoast in the best SEO plugin :)

  24. Hamza Sheikh
    Hamza Sheikh  • 9 years ago

    Just few days ago, I activated the automatic plugin update feature in my WordPress, and now I can thanks to the option for securing my websites while I was enjoying my sleep.

    I received couple of messages from friends about the security breach, and vulnerability. I took sometime to manually check each and every installation of my WordPress that runs SEO Yoast plugin.

  25. Dajuan
    Dajuan  • 9 years ago

    My site’s plugin was also deactivated. If Yoast didn’t do this, I wonder who / what deactivated the plugin on so many of our websites.

  26. Adrienne
    Adrienne  • 9 years ago

    Thanks for automatically fixing the plugin…

  27. Marcos Alonso
    Marcos Alonso  • 9 years ago

    Hi

    I´ve 2 websites they have ver 1.4 and didn´t update automatically, so I´ve to upload the latest version manualy, right? Is there the possiblity of loosing my custom Title and Meta Tags?

  28. Omar Belkadi
    Omar Belkadi  • 9 years ago

    Hi,

    Thank you for the update. Most appreciated here.

    Thanks God. I updated the plugin on the right time.

    Keep it up.

    Regards,
    Omar

  29. Don Hesh
    Don Hesh  • 9 years ago

    So what happen to the websites already attacked? I can see spam links on the top of my page?
    I discover this issue few weeks a go and we thought its from Contact form 7. Never guess its from yoast.
    Thanks
    Don

    • Joost de Valk

      It’s probably got nothing to do with this issue, to be honest. We’ve not seen hacks in the wild yet.

  30. Sadanand
    Sadanand  • 9 years ago

    Thanks for the update Joost de Valk. I have updated plugin just now!

  31. Damien Carbery
    Damien Carbery  • 9 years ago

    @ambrosite asked what the fix was but no answer.
    It looks like WPSEO_Utils::filter_input() is called, which calls filter_input(). As FILTER_DEFAULT is filter used (without any flags) and PHP docs says: “This will result in no filtering taking place by default.”, how does this fix the issue?

    • Joost de Valk

      Look a bit further, we added sanitization functions that restrict the order and orderby values to a limited set.

      • Damien Carbery
        Damien Carbery  • 9 years ago

        Thanks. I had only looked around the lines mentioned in the WPScan disclosure. I will have to study the code to learn from it.

  32. Dan Lawrence
    Dan Lawrence  • 9 years ago

    Hi

    ive just looked through Yoast WP SEO plugin interface for a clients install and cant see version number reference anywhere, only ref is to verison 4 which i presume must be WP not Yoast , where do we look to check version number ?

    thanks
    dan

    • Joost de Valk

      Well, a good place to find the version number for any plugin would be on the WordPress plugins page in your install :)

      • Dan Lawrence
        Dan Lawrence  • 9 years ago

        cool cheers, im looking at a WP Multi User instal so cant see it since not a network admin but the developer has confirmed latest version so all is good , thanks

  33. Adam Laughlin
    Adam Laughlin  • 9 years ago

    I have to say, “one would expect this would prevent an SQL injection” is somewhat rude.
    I write code that is used by almost nobody, and I take the time – my own time – to read the documentation of every single function I call.
    I don’t want to diminish your character or the nature of your contributions to the Internet and to WordPress as a whole, but this is a very flagrant piece of damage control. I’m compelled to call it out, I was recommending Yoast to my employer just this morning and I am quite embarssed. I really do regret it, now. Sorry, Joost but… they run a serious business and will be targeted.

    Shame.

    • Joost de Valk

      Hey Adam,

      first of all, this code was contributed by an external developer. Second, this was reviewed multiple times and not found before. If you can guarantee me that if I let you do code reviews we’ll never find anything again in the code you have reviewed, I’d like to hire you!

      • Adam Laughlin
        Adam Laughlin  • 9 years ago

        That’s an incredibly positive response Joost, I’m going to make sure I learn from you here.

        Come to think of it, I now owe you one free code review… let’s actually see what I’m getting into, then.

        All of the positive feedback here had me wondering if responses were being deleted. So at the very least my attack can serve as a testament that you stand by your work.

        “…which one would expect would prevent SQL injection. It does not.”

        If ‘one would expect’ was your way of excusing the contributor’s mistake, I’ve appalled myself. I thought you were referring to yourself. There is no shame in making it clear this was another person’s mistake. I originally read that statement as a reference to your personal coding habits.

        I’m very embarassed. Best regards.

        • Joost de Valk

          No need to be embarrassed. Bugs happen. To everyone. I could have made this mistake myself, probably. I know I made plenty mistakes like this before, luckily most of them were before we had a million+ users.

    • Don Hesh
      Don Hesh  • 9 years ago

      Everyone make mistakes… So many people in SEO industry achieve good results from this plugin. So don’t be a d..k.

  34. Nigel
    Nigel  • 9 years ago

    Great to hear that you updated the plugin as soon as an issue was found, even such a small one. Thanks again for the great plugin, love it!

  35. Brendan McCoy
    Brendan McCoy  • 9 years ago

    Never a good thing to happen but the fast update is much appreciated as always.

  36. Marc
    Marc  • 9 years ago

    Hello, I have version 1.5.6 of yoast seo plugin but I don’t see the update available on the plugins administrator.

    How can I manually update the plugin?

    Thanks.

    • Ollie
      Ollie  • 9 years ago

      Hi,
      I have the same question as Marc.
      I downloaded version 1.5.7 from here: https://wordpress.org/plugins/wordpress-seo/developers/ and went to manually install the plugin, but when I looked in the backend, it said it was still on 1.5.6

      I then opened up the files and readme and saw no evidence that what I downloaded was version 1.5.7 despite it being labeled: wordpress-seo.1.5.7.zip

      Where can I get the real 1.5.7?

      • blackhawk
        blackhawk  • 9 years ago

        Same problem here..

      • Pim
        Pim  • 9 years ago

        Yes, same here.

        • Joost de Valk

          That’s actually a bug in what I did. But you should really upgrade to 1.7.4

          • Pim
            Pim  • 9 years ago

            Hi Joost,

            Thanks for your quick response.

            Does this mean the bug in 1.5.7 is fixed in wordpress-seo.1.5.7.zip as linked on https://wordpress.org/plugins/wordpress-seo/developers ?

            Thanks for your recommendation. I understand what you are saying, but circumstances make me prefer upgrading to 1.5.7.

            Keep up the good work :)

  37. Shajjad Ali
    Shajjad Ali  • 9 years ago

    Oh, No ! I was very worried about the malware attack ! But, finally i fixed after learning from one of my Facebook friends status !

    Thanks for update !

  38. Irwin
    Irwin  • 9 years ago

    My earlier post of one minute ago had been stripped of my quote from Silver Fox

    Version 1.7.4 is definitely safe, as it is the latest version…

  39. Irwin
    Irwin  • 9 years ago

    I have Version 4.1.1 yet the security release refers to

    (Thanks Silver Fox)
    I cannot make these ‘facts’ jibe.
    What should I know to understand? Is the security issue relevant to me?

  40. Chris
    Chris  • 9 years ago

    Just got an iThemes ‘file change warning’ that over a hundred files just got changed on my site, I panicked searched and found this release writeup. I just love it when WordPress can take charge and auto update! Thanks for the uber-quick response Yoost! Cheers

  41. Niall Flynn
    Niall Flynn  • 9 years ago

    This article needs a response from the man himself;
    http://www.searchenginejournal.com/popular-wordpress-plugin-seo-by-yoast-vulnerable-to-hackers/128040/
    I think this was patched as soon as it was found, and to be fair SQL injections can happen to anything anywhere.

  42. Charles Simmons
    Charles Simmons  • 9 years ago

    I noticed that the forced automatic update has deactivated the plugin on every install that I’ve seen so far, about 10 at this point. Obviously, the security fix was a must and if this is the price of being secure, then so be it. But, fair warning to all, if you have clients that had this plugin installed on a site that you handed over, you may be getting a call at some point in the future if their indexing starts to look off and they don’t know about this.

  43. Kristof
    Kristof  • 9 years ago

    Appreciate the fast turnaround in fixing the security hole.

    My premium plugin license expired two weeks ago so I can’t update. I obviously don’t want a security issue with plugin but can’t purchase a license update right now. Is there a way I can patch this myself?

  44. Adeel Sami
    Adeel Sami  • 9 years ago

    Hello Joost!

    Thank you for the plugin update! I already had updated it the other day.

    ~ Adeel Sami

  45. Alastair Dodwell
    Alastair Dodwell  • 9 years ago

    Thanks for the heads up. All our sites were auto updated and see fine.
    Keep up the good work.
    Alastair

  46. Kathy Goldman
    Kathy Goldman  • 9 years ago

    Thanks for the update on the update. My sites all check out fine! Wish I could see you for the conference!

  47. ambrosite
    ambrosite  • 9 years ago

    Joost, can we get more technical details on what exactly you had to do to fix this security issue? It is rather worrying to hear that you needed “far stricter sanitization” than esc_sql, since that function ultimately just calls mysql_real_escape_string (as does wpdb::prepare), which has been the standard security advice for years. In fact the data validation page in the WordPress Codex still recommends the use of those functions:
    http://codex.wordpress.org/Data_Validation

    • Joost de Valk

      Read the code, you can see what we did. We restricted both parameters to a defined set of values instead of allowing any string value.

  48. Nathan
    Nathan  • 9 years ago

    Hey, this fix broke my website. The following PHP code I have in the head of my WordPress breaks the site:

    $object = new WPSEO_Frontend();
    if( $object ){
    echo $object->metadesc( false );
    } else{
    echo “Sample Text”;
    }

    I have since removed it. Would anyone happen to know what the new code should be? Basically it should pull in the meta description (From the plugin) IF the user has entered it in the WordPress CMS, otherwise echo “Sample Text”.

    Thank you!

    • Joost de Valk

      You can’t access the Frontend class like that, nor should you…

  49. Phil
    Phil  • 9 years ago

    Great update as its now broken the site! :(

    PHP Fatal error: Class ‘WPSEO_Utils’ not found in /www/www.{{PRIVATE}}.com/wordpress/wp-content/plugins/wordpress-seo/admin/class-admin.php on line 78

    Thoughts on how to fix this please ?

    • Joost de Valk

      I don’t know how you’ve updated? That’s not an error people get when updating through WordPress.org.

      • Dr. Mike Wendell
        Dr. Mike Wendell  • 9 years ago

        Getting that error as well on our installs. Same line number and normally we do our upgrades from wordpress.org after manually reviewing what’s coming down on a test install.

        The full error:

        PHP message: PHP Fatal error: Class ‘WPSEO_Utils’ not found in /usr/share/nginx/www/wordpress/wp-content/plugins/wordpress-seo/admin/class-admin.php on line 78″ while reading response header from upstream, client: 1.2.3.4, server: ourwebsite.tld, request: “GET /wp-admin/ HTTP/1.1”, upstream: “fastcgi://unix:/var/run/php5-fpm.sock:”, host: “ourwebsite.tld”

        There’s at least 1 thread on the wp.org forums asking for help about it.

        • Joost de Valk

          “normally we do our upgrades from wordpress.org after manually reviewing what’s coming down on a test install”: are you removing the old plugin dir and replacing it with a full extract of the new one? Sounds like you’re missing our vendor directory (which contains the auto-load files).

      • Phil
        Phil  • 9 years ago

        Hmmm, it was working prior to the mandantory push by WordPress. Interestingly I moved the wordpress-seo folder out of the way, downloaded the version from your site, and uploaded. As soon as I activate the plugin it fails. When can one download the previous version from ? Would like to get it running again so that can export SEO settings, completely delete the plugin and data, and then import. Thank you.

  50. Guillaume
    Guillaume  • 9 years ago

    Hi,

    I’m glad you fixed the problem quickly for all your users ad thanks for that!

    At the end of the article it says :

    “Note: If you’re using WordPress SEO Premium, you should immediately update to version 1.5.3. You can find the how-to in our knowledge base.”

    Is the version 1.5.3 the version of the main pluggin or the version of the premium pluggin? Because on all my sites, I have the version 1.3.4.1 of “Local SEO for WordPress SEO by Yoast”.

    Thanks for the help!

    • Joost de Valk

      Hey Guillaume, Local SEO is not affected, this is the “core” WordPress SEO plugin we’re talking about.

  51. JValenzuela
    JValenzuela  • 9 years ago

    thanks for the quick response. I’ve checked all my sites and it’s all right for now

    Good job!

  52. Michael Freudenberg
    Michael Freudenberg  • 9 years ago

    This is how Marketing realy works! Very well communication and suuuuuper quick response for the problem.
    You are great guys thanks for it….

  53. Silver Fox
    Silver Fox  • 9 years ago

    I’ve updated to your plugin Version 1.7.4. However, I’m getting a security alert from Vaultpress.com security scan which says the following:

    “The plugin WordPress SEO (version 1.14.15) has a publicly known vulnerability. It is recommended deactivate and remove this plugin until a new version is released.”

    I suspect this is a false positive – perhaps something to do with the versioning system?? Have opened a ticket with Vaultpress, so will see what they say

    By the way, thanks for the fast plugin update and explanatory article.

    • Joost de Valk

      VaultPress is reading the version number wrong, trying to figure out who to talk to on their end.

      • Silver Fox
        Silver Fox  • 9 years ago

        I just got this email from Vaultpress re the issue:

        “Version 1.7.4 is definitely safe, as it is the latest version released on the WordPress.org repository: https://wordpress.org/plugins/wordpress-seo/changelog/

        WordPress SEO by Yoast changed their versioning number a while back which led to this conflict. Everything should be good though.”

  54. Yeshua
    Yeshua  • 9 years ago

    I first read the security issue on another blog and it was over exaggerated! I just realized it’s more of a bug than a threat. Kudos, I use your plugin on all of my sites.

  55. Wundle
    Wundle  • 9 years ago

    Thanks for fixing so quickly. Your plugins make my seo life so much easier for some of the on page nitty gritty stuff. Kepp up the great work!

  56. Julius
    Julius  • 9 years ago

    Thats why I love to use this plugin! Thanks for the quick update.

  57. Tanshir
    Tanshir  • 9 years ago

    Happy to get such a quick update :)

  58. Daniel McClure
    Daniel McClure  • 9 years ago

    Thanks for the quick turn around on this one!

  59. ScrapNancy
    ScrapNancy  • 9 years ago

    Would the forced update leave the plug-in deactivated if it was active when the update was pushed? My plug-in was deactivated sometime in the last 24 hours, and it has been auto-updated by the forced update to 1.7.4.

    • Nazareno
      Nazareno  • 9 years ago

      Which hosting where you using? Some shared or wordpress exclusive servers may automatically disallow a plugin when they’re reported of a security issue

    • Karen
      Karen  • 9 years ago

      I noticed that in two of my three installs, the plug-in was deactivated. And they were not auto updated.

      • Joost de Valk

        Hmm that’s not good… And weird. The plugin itself obviously doesn’t do that…

    • Joost de Valk

      No… It should just leave it active.

  60. Mike
    Mike  • 9 years ago

    Thanks for the Quick update.

    Does this apply to your other paid plugins such as the Local SEO plugin?

    • Joost de Valk

      Hey Mike,

      no, no other plugins are affected.

      • Nick
        Nick  • 9 years ago

        Hi Guys – Thanks for this –
        By the way are there any known conflicts with Optimize Press 2.0? My Yoast SEO is not updating.
        Nick

  61. Derek
    Derek  • 9 years ago

    Thanks for fixing this so fast. I have the premium version and update went smoothly. Keep up the great work with this plugin.

  62. Earl Grey
    Earl Grey  • 9 years ago

    Personally I wouldn’t say this was a real security update. More of a minor bug fix. The fact it needed a targeted attack to execute kind of makes it like every day on the internet.
    If they gunna get you they will do.

  63. Natan
    Natan  • 9 years ago

    Thanks for fixing this so quickly and communicating to users about it!

  64. Conrad O'Connell
    Conrad O'Connell  • 9 years ago

    Thanks for fixing this quickly and getting it updated!