Site icon Panda Security Mediacenter

A security breach has been detected in WordPress SEO by Yoast plugin!

wordpress

The search engine optimization, the well-known SEO, enables Google to show our webpage before than other hundreds of millions of sites. That’s the reason why editors of corporate and personal blogs worry so much about visibility.

If you use WordPress, you will probably have installed “WordPress SEO by Yoast”, the most famous plugin that handles this task and has over 14 million downloads. An essential tool for any blogger, it helps displaying the post’s keywords, a headline and intro making it easier for the search engine and the robot that index the sites to read.

If you have it too, you should know that it has recently been discovered some vulnerabilities, which could be exploited by any attacker to get into your blog.  If you are thinking right now about uninstalling or changing the passwords, because you can’t figure anything else to do, don’t worry: they have already solved the problem. Now, of course you will have to download an update soon!

Security expert Ryan Dewhurst warned about the issue a few days ago. He works for WPScan, an open source security tool that allows security professionals and web administrators evaluate the vulnerabilities of WordPress.

Dewhurst found that a cyber-attacker could break the database’ security and obtain confidential information through a SQL injection attack in version 1.7.4. (version 1.5.3. for those who paid the premium subscription).  In addition, all the previous versions were also vulnerable.

The security gap, in the simplest terms, would allow querying the blog’s database, which would compromise the stored information (authors and subscribers usernames and passwords, for example). Even, the vulnerability could be used to infect the site’s visitors through some malware.

This plugin’ security experts resolved the issue within 90 minutes after realizing it. They patched the vulnerability and offer an update, version 1.7.4. which comes without this damn security gap and you can download it manually from their website.

The people in charge of “WordPress SEO by Yoast” thanked Dewhurst for publishing his findings and asked users to download this update as soon as possible in order to keep themselves safe.

In addition, there is a much more comfortable way for updating all the versions without having to be on the look. If you have already installed WordPress version 3.7., or higher, you can order your plugins to automatically install updates so you don’t have to worry about them. You can do it by using the “Advanced Automatic Updates” option.

Exit mobile version