SECURITY ANNOUNCEMENT - WordPress SEO by Yoast Vulnerability
Friday, 13th March, 2015
There is a vulnerability in WordPress SEO by Yoast. This is a CSRF vulnerability so is harder to exploit because it requires tricking an admin into loading a link from their own website where they're logged in.
However it's serious enough that we're sending out an alert. Yoast has released a fix, so upgrade immediately. It's worth noting that this is getting a lot of press, so awareness among hackers of this issue is spreading quickly. So please upgrade at your earliest convenience.
The actual vulnerability is an SQL injection attack, but it requires admin privileges so the actual vector is likely a CSRF attack exploiting the SQL injection vulnerability.
All our clients who have a WordPress site management contract with us have already been updated to the latest version.
All other clients are asked to update their WordPress SEO by Yoast plugin to the latest version, which resolves the issue, as possible. Not doing so will risk your site being hacked.