This morning we released an update to our WordPress SEO plugin (both free and premium) that fixes a security issue. A bit more details follow below, but the short version of this post is simple: update. Now. Although you might find your WordPress install has already updated for you.
What did we fix?
We fixed a CSRF issue that allowed blind SQL injection. The one sentence explanation for the not so technical: by having a logged-in author, editor or admin visit a malformed URL a malicious hacker could change your database. While this does not allow mass hacking of installs using this hole, it does allow direct targeting of a user on a website. This is a serious issue, which is why we immediately set to work to fix it when we were notified of the issue.
Why we didn’t catch it? Well… Long story. It should have been caught in one of our regular security reviews. The values were escaped using esc_sql, which one would expect would prevent SQL injection. It does not. You’ll need far stricter sanitization. Not an excuse but it’s a good lesson to learn for other developers.
Responsible disclosure
We were notified of this issue by Ryan Dewhurst of the WPScan team, who waited for us to release an update before publishing his find to the public, for which we thank him! This type of responsible disclosure is what keeps us all safe, but it only does so if you update.
Forced automatic update
Because of the severity of the issue, the WordPress.org team put out a forced automatic update (thanks!). If you didn’t specifically disable those and you were:
running on 1.7 or higher, you’ll have been auto-updated to 1.7.4.
If you were running on 1.6.*, you’ll have been updated to 1.6.4.
If you were running on 1.5.*, you’ll have been updated to 1.5.7.
If you are on an older version, we can’t auto-update you, but you should really update for tons of reasons. Of course you should really move to 1.7.4 as soon as you can anyway.
This post first appeared as WordPress SEO Security release on Yoast. Whoopity Doo!
Source:: SEO
Recent Posts
- W3 Total Cache high-risk XSS vulnerability September 23, 2016
- Ask Yoast: Links to PDF files September 23, 2016
- eCommerce SEO checklist: 27 tips for a better online shop September 22, 2016
- 5 SEO copywriting mistakes you should avoid September 21, 2016
- WordPress: How to noindex a post! September 20, 2016
- Ask Yoast: why connect GSC with Yoast SEO? September 19, 2016
- Interview with Boris Veldhuijzen van Zanten (TNW) September 16, 2016
- Holiday season SEO: start preparing NOW! September 15, 2016
- Tagging posts properly for users and SEO September 14, 2016
- 7 keyword research mistakes you should avoid September 13, 2016
Main Menu
- Adwords Help – Adwords Companies – Adwords Marketing – Google Adwords Help
- Adwords Help – Adwords For Real Estate Brokers – Adowrds For Mortgage Brokers
- free consultation
- Free Website Analysis
- Plumbing Leads – Adwords For Plumbers – Adwords For Plumbing – Plumber Leads
- Privacy Policy And Terms Of Service
- Testimonials
- THANK YOU
- THANK YOU FOR YOUR INTEREST
- Thank You For Your Interest In Home Services Ads
- Thank You For Your Interest Now Watch This Video
- Thank You Here Is Your Free eBook
- Home
- Blog
- About
- Contact
- Demo
- Local SEO
- Login
- National SEO
- PPC Management
- Social Media Marketing