The Army of Flying Monkeys

wicKed tRibe, rOoling tRibe!

  • Email
  • Facebook
  • Google+
  • LinkedIn
  • RSS
  • Twitter
  • About the Army
    • New Client faq’s
    • Affiliate Disclosure Statement
    • Comments Policy
  • WordPress CMS
    • Redesign
    • Genesis
      • Free eBook
    • Resources
  • Services
    • Setup and Customization
    • Hosting Solutions
    • WordPress Support
    • Army on Call
  • Portfolio
  • Blog
    • WordPress Security
    • How to
    • Genesis Framework
    • Services
  • Ask the Flying Monkeys
Home Blog Update your Yoast WordPress SEO Plugin as it is Vulnerable To Hackers
Update your Yoast WordPress SEO Plugin as it is Vulnerable To Hackers

stuartinfiji March 13, 2015

Update your Yoast WordPress SEO Plugin as it is Vulnerable To Hackers

Millions of WordPress sites have been exposed to a Blind SQL Injection vulnerability due to a security hole in the very popular Yoast SEO plugin. The plugin has been updated by makers, so make sure to update your plugin ASAP.

The Yoast WordPress SEO Plugin is used by over 1+ Million WordPress websites (see their downloads) and has reportedly been open to an exploit where hackers can do a Blind SQL injection for goodness knows how long.

A Blind SQL Injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

It can be used to insert an SQL query into the database to either extract data, modify data or delete data. It is most often used to insert unwanted or unauthorized affiliate, spam links, or malware/adware on sites. These are thelittle nasties that you don;t notice for ages, unless you have a malware scan going…

WordPress SEO by YoastIf you are on WordPress, there is a good chance you are using this Yoast plugin. ALL of our website builds by the Army of the Flying Monkeys sure as heck do, iot’s an awesome plugin!

To fix the issue, upgrade to version 1.7.4 immediately.

This version is documented to be a security fix based on what Ryan Dewhurst found during a security scan. For the geeks and techies among us, the official security fix says:

Security fix: fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor. Added strict sanitation to order_by and order params. Added extra nonce checks on requests sending additional parameters. Minimal capability needed to access the bulk editor is now Editor. Thanks Ryan Dewhurst from WPScan for discovering and responsibly disclosing this issue.

From Yoast in email this morning:

On Wednesday we pushed a security release to our WordPress SEO plugin. Joost wrote about what we fixed and how we rolled out the update in this post. In short, if you haven’t updated your WordPress SEO plugin yet, free or premium, update!

Learn more about this vulnerability at TheHackerNews.com.

Side note

Yoast announced that the WordPress team actually automatically pushed an update to WordPress installs that run an older version of this plugin. So many sites running this should be automatically updated.

But go ahead and login to your to double check…

Welcome to the Army of Flying Monkeys

Whether you're new or advanced in website development, the Army provides the resources and expertise to take your WordPress website to places you never thought it could go!

Search

Affiliate Links

Genesis

GreeGeeks hosting
ConstantContactConstantContact

Forms for WordPress

Gravity Forms Contact Form Plugin for WordPress

RSS News from Wordpress Blog

  • The Month in WordPress: December 2020 January 5, 2021
    We bid goodbye to 2020 in style with the release of WordPress 5.6 and the launch of Learn WordPress. But these weren’t the only exciting updates from WordPress in December. Read on to learn more! WordPress 5.6 is here The latest major WordPress release, version 5.6 “Simone”, came out on December 8. The release ships […]
  • Introducing Learn WordPress December 15, 2020
    Learn WordPress is a learning resource providing workshops, quizzes, courses, and lesson plans to help you to do more with WordPress.
Tweets by ArmyFlyMonkeys

© 2021 · The Army of Flying Monkeys · Privacy Policy · GDPR – Request personal data · Disclaimer