How to Yoast WordPress SEO Plugin Makes Your Website Vulnerable!
According to a latest news, the popular Yoast SEO WordPress Plugin has a major vulnerability that makes a website susceptible to blind SQL injections. This is a very popular plugin that is used by over 14 million websites. Reportedly, all versions of SEO by Yoast prior to 1.7.3.3 are vulnerable to Blind SQL Injection web application flaw. This is an alarming news for those that use this plugin, because it could seriously compromise the data on their website.
In addition, this is something that can easily fixed by updating your plugin to the latest version. The Yoast team promptly patched the exploit upon being notified, and the newest version (1.7.4) is said to fix the problem. The Premium version of the plugin has also been updated.
In the future, you can have plugin updates taken care of automatically by going to the Manage > Plugins & Themes > Auto Updates tab. It is strongly recommended that you update all SEO and security plugins on your websites as soon as possible.
According to Mohit Kumar of Hacker News:
So in other words, WordPress admins can be tricked into clicking on links that would then trigger an SQLi attack. After the attack, the attacker could then add their own admin account to the vulnerable WordPress site and do whatever they want with it.
Everyone who has SEO by Yoast installed is not going to be automatically affected by this. The attack can only be manually triggered by a WordPress admin, editor, or author who clicks on a dangerous link created by the attacker.