Run WordPress SEO by Yoast on your website? You need to update it

WordPress SEO by YoastIt’s an incredibly popular WordPress plugin, because it’s tremendously good at what it does.

WordPress SEO by Yoast has over one million active users, running it on their self-hosted WordPress sites to boost their appearance in search engine results.

And, as we all know, the higher you appear in search engines, the more traffic you will get.

Being one of the most popular WordPress plugins, you would expect WordPress SEO by Yoast to work really well. And it does. I know that, because I have run it on my own site here at grahamcluley.com. It’s a great plugin.

Sign up to our free newsletter.
Security news, advice, and tips.

But that doesn’t mean it’s perfect.

Earlier today I was contacted by Ryan Dewhurst, a freelance security consultant and developer of the WordPress vulnerability scanner WPScan and a custodian of the WPScan Vulnerability Database.

Dewhurst explained to me that he had found a serious vulnerability in the WordPress SEO by Yoast plugin:

A remote unauthenticated attacker could use this vulnerability to execute arbitrary SQL queries on the victim WordPress web site by enticing an authenticated admin, editor or author user to click on a specially crafted link or visit a page they control.

One possible attack scenario would be an attacker adding their own administrative user to the target WordPress site, allowing them to compromise the entire web site.

More details of the vulnerability can be found here.

Now the good news is that the attack requires a user of the targeted website to click on a link or visit a boobytrapped webpage. This isn’t the kind of attack, therefore, which can be easily launched against every site running WordPress SEO by Yoast.

Nonetheless, it’s not the kind of flaw that you want lurking on your website.

Fortunately, the team at Yoast responded to Dewhurst’s responsible disclosure within 90 minutes of him first emailing them, and an update to the plugin was released earlier today. The paid-for Premium edition of the plugin has also been updated.

WordPress SEO by Yoast

Frankly, that’s a great response to a problem that could have put users at risk. It’s brilliant that Dewhurst believes in responsible disclosure, and it’s a terrific turnaround from Yoast.

If only all vulnerabilities were fixed as smoothly.

The latest version of WordPress SEO by Yoast (1.7.4) can be found in the WordPress plugin repository. If you run the plugin on your WordPress website, make sure that you are running the latest update.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

4 comments on “Run WordPress SEO by Yoast on your website? You need to update it”

  1. Richard

    Thank you Sir! I have at least 15 sites running this plugin. Time to visit my InfiniteWP dashboard and do a mass update. Thanks Again.

  2. Jonathan

    Thanks for clarifying the situation regarding the premium version too as it wasn't obvious if that was also affected and that today's update I had in my dashboard covers this issue. Yoast are an excellent company I have found so their quick fix is no surprise.

  3. Dev Patel

    Thank You sir…Nice Post with Great information.. Please Keep Sharing.

  4. risk manger

    This is a minimal impact bug, with admin access you can install a plugin that contains backdoor anyways.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.