Blind SQL Injection Exploit in “WordPress SEO Plugin by Yoast”

On March 11, 2015 the WordPress SEO by Yoast was discovered to have a Blind SQL Injection vulnerability. Yoast fixed the issue immediately:

“We fixed a CSRF issue that allowed blind SQL injection. The one sentence explanation for the not so technical: by having a logged-in author, editor or admin visit a malformed URL a malicious hacker could change your database. While this does not allow mass hacking of installs using this hole, it does allow direct targeting of a user on a website. This is a serious issue, which is why we immediately set to work to fix it when we were notified of the issue.”

We strongly recommend that you update this plugin if you have it on your WordPress site. It is possible WordPress has already updated it for you, but check to be certain. For those who added the plugin after March 11, 2015, the fix will already be implemented.

Leave a Reply